Guidance for Azure Active Directory connector

Read the following information for guidance and best practices when using the Azure Active Directory connector in your flows.


Create a connection using an admin or user Azure Active Directory account. See Authorization.

Reauthorize a connection

If you've used your account to create a connection successfully, you should be able to use this account to create as many connections as you want. You can reauthorize any old connections if the admin doesn't change any configurations.

Types of accounts

  • Azure Active Directory admin account
  • Azure Active Directory admin credentials

Supported scopes

The following OAuth scopes must be enabled in your Azure Active Directory connector environment:

  • email
  • openid
  • profile
  • offline_access
  • Directory.ReadWrite.All
  • Directory.AccessAsUser.All
  • Group.ReadWrite.All
  • User.ReadWrite.All
  • User.Invite.All
  • Calendars.ReadWrite
  • Calendars.ReadWrite.Shared
  • Contacts.ReadWrite.Shared
  • Files.ReadWrite.All
  • People.Read.All
  • AccessReview.ReadWrite.All
  • AccessReview.ReadWrite.Membership
  • Analytics.Read
  • AdministrativeUnit.ReadWrite.All
  • AppCatalog.ReadWrite.All
  • Bookings.ReadWrite.All
  • Chat.ReadWrite
  • PrivilegedAccess.ReadWrite.AzureAD
  • PrivilegedAccess.ReadWrite.AzureResources
  • EduAdministration.ReadWrite
  • Financials.ReadWrite.All
  • IdentityProvider.ReadWrite.All
  • IdentityRiskEvent.Read.All
  • IdentityRiskyUser.Read.All
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.PrivilegedOperations.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementRBAC.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Mail.Send.Shared
  • MailboxSettings.ReadWrite
  • Mail.ReadWrite.Shared
  • Member.Read.Hidden
  • Notes.ReadWrite.All
  • Notes.Create
  • Notifications.ReadWrite.CreatedByApp
  • OnPremisesPublishingProfiles.ReadWrite.All
  • Organization.ReadWrite.All Place.Read.All
  • ProgramControl.ReadWrite.All Reports.Read.All
  • RoleManagement.ReadWrite.Directory
  • SecurityEvents.ReadWrite.All
  • SecurityActions.ReadWrite.All
  • ThreatIndicators.ReadWrite.OwnedBy
  • Sites.FullControl.All
  • Tasks.ReadWrite
  • Tasks.ReadWrite.Shared
  • Agreement.ReadWrite.All
  • AgreementAcceptance.Read.All
  • Policy.Read.All
  • Policy.ReadWrite.TrustFramework
  • UserActivity.ReadWrite.CreatedByApp

Action card or event card-specific limitations

Return child folders

The List Contact Folder card returns a maximum of two levels of child folders. As an alternative approach, you can use one of the following API calls with the Custom API Action card. See Custom API Action.

  • Return first-level contact folders from a folder:


  • Returns first- and second-level contact folders from a folder:


  • Returns the 1st, 2nd and 3rd level contact folders from a folder:


Related topics

Azure Active Directory connector

Workflow elements

Guidance for Azure Active Directory connector

Azure Active Directory Management API overview