Reducing the Assigned Permissions

After onboarding is complete and learning mode is done, you may remove the following permissions from the Avanan application:

Permissions

Claim Value

Read and write all directory RBAC settings

RoleManagement.ReadWrite.Directory

Read and write domains

Domain.ReadWrite.All

Note:

Do not remove the corresponding read-only permissions of these applications (Read domains and Read all directory RBAC settings).

If Avanan is onboarded before March 2026 and do not reauthorize it, the application may still include the AD Graph API permission (Directory.ReadWrite.All). This permission is no longer required, and you can remove it.