Lightning Forms Microsoft Graph Permissions

Graph API permissions requested by Lightning Forms

Introduction

Below is a list of the Microsoft Graph permissions requested by the current version of the Lightning Forms Suite (Lightning Forms and Lightning Tools Actions) in SharePoint Online. You may choose not to approve permissions that are not essential to your use case.

All permissions listed are "Delegated" and require approval from either a Global or Application Administrator. Delegated means that requests will be made as the current user, considering their permissions on the requested resource. Approval can be managed on the API Access page within the SharePoint Admin Center. Once approved, these permissions will appear under the SharePoint Online Web Client Extensibility application in the Entra Admin Center for your tenant.

Permissions List

Directory.Read.All  

Added in version 3.1.0.0
This permission is required if you intend to test whether the current user is a member of an Entra ID (formerly Active Directory) Group using the [@User.IsMemberOfAADGroup] placeholder.

ExternalItem.Read.All and ExternalConnection.Read.All

Added in version 3.9.0.0

These two permissions support the Microsoft Graph Connector Data source option for the Data Lookup control

Mail.Send  

Added in version 3.3.0.0
This permission is necessary if you plan to use the updated "Send Email" action in the Action Builder. It allows emails to be sent to any valid email address, internal or external, with either the current user or (with the appropriate mailbox permission) another user as the Sender. 

This is as opposed to the legacy “Send internal email” action, which will only send emails to users that exist within the current site collection, using 'no-reply@sharepointonline.com' as the Sender. Technically, this action uses the Utility.SendEmail method. We don't recommend using this legacy action; it's mainly there for backward compatibility. 

NOTE: As of version 3.9.0.0, you will be prompted to migrate any existing “Send internal email” actions to the Send Email action, due to Microsoft's October 2025 retirement of the SharePoint SendEmail API. The “Send internal email” action no longer exists in Lightning Forms or Lightning Tools Actions as of version 3.9.0.0.

Mail.ReadWrite  

Added in version 3.6.0.0
This permission enables sending attachments larger than 3 MB when using the "Send Email" action. This is required because the Mail.Send request has a 3 MB limit, so it's necessary to temporarily save a larger attachment before sending it.

Team.ReadBasic.All  

Added in version 3.7.0.0
Required for the new ‘Teams’ Data source option for the Data Lookup control. See Lightning Tools — Cross Site Lookups for more information.

TermStore.ReadWrite.All  

Added in version 3.7.0.0
This permission supports the integrated modern term store picker, if you are using Managed Metadata fields in your forms. Specifically, this permission is required when the ‘Allow users to type new values’ option is set on the Managed Metadata field, to allow the creation of new terms.

User.Invite.All  

Added in version 3.8.0.0
This permission supports the new Invite Guest User action.

User.Read.All

Added in version 3.8.0.0

Allows the Create Shared Link action to handle disabled user accounts.

Was this article helpful?

Can’t find what you’re looking for?

Our world-class Customer Success team is here for you.

Contact Support