Introduction
Below is a list of the Microsoft Graph permissions requested by the current version of the Lightning Forms Suite (Lightning Forms and Lightning Tools Actions) in SharePoint Online. You may choose not to approve permissions that are not essential to your use case.
All permissions listed are "Delegated" and require approval from either a Global or Application Administrator. Delegated means that requests will be made as the current user, considering their permissions on the requested resource. Approval can be managed on the API Access page within the SharePoint Admin Center. Once approved, these permissions will appear under the SharePoint Online Web Client Extensibility application in the Entra Admin Center for your tenant.
Permissions List
Directory.Read.All
Added in version 3.1.0.0
This permission is required if you intend to test whether the current user is a member of an Entra ID (formerly Active Directory) Group using the [@User.IsMemberOfAADGroup] placeholder.
ExternalItem.Read.All and ExternalConnection.Read.All
Added in version 3.9.0.0
These two permissions support the Microsoft Graph Connector Data source option for the Data Lookup control
Mail.Send
Added in version 3.3.0.0
This permission is necessary if you plan to use the updated "Send Email" action in the Action Builder. It allows emails to be sent to any valid email address, internal or external, with either the current user or (with the appropriate mailbox permission) another user as the Sender.
This is as opposed to the legacy “Send internal email” action, which will only send emails to users that exist within the current site collection, using 'no-reply@sharepointonline.com' as the Sender. Technically, this action uses the Utility.SendEmail method. We don't recommend using this legacy action; it's mainly there for backward compatibility.
NOTE: As of version 3.9.0.0, you will be prompted to migrate any existing “Send internal email” actions to the Send Email action, due to Microsoft's October 2025 retirement of the SharePoint SendEmail API. The “Send internal email” action no longer exists in Lightning Forms or Lightning Tools Actions as of version 3.9.0.0.
Mail.ReadWrite
Added in version 3.6.0.0
This permission enables sending attachments larger than 3 MB when using the "Send Email" action. This is required because the Mail.Send request has a 3 MB limit, so it's necessary to temporarily save a larger attachment before sending it.
Team.ReadBasic.All
Added in version 3.7.0.0
Required for the new ‘Teams’ Data source option for the Data Lookup control. See Lightning Tools — Cross Site Lookups for more information.
TermStore.ReadWrite.All
Added in version 3.7.0.0
This permission supports the integrated modern term store picker, if you are using Managed Metadata fields in your forms. Specifically, this permission is required when the ‘Allow users to type new values’ option is set on the Managed Metadata field, to allow the creation of new terms.
User.Invite.All
Added in version 3.8.0.0
This permission supports the new Invite Guest User action.
User.Read.All
Added in version 3.8.0.0
Allows the Create Shared Link action to handle disabled user accounts.