PermView

Quick permission viewer across Microsoft 365 and Azure

← Toolkit

Connect to your tenant

PermView runs entirely in your browser. It signs you in with Microsoft (PKCE) and queries Microsoft Graph, Azure Resource Manager, Power BI, Power Platform and Azure DevOps as you. No backend, no telemetry.

Sign-in initially asks only for the basic Graph read scopes. PermView asks for additional consent (per API) the first time you open a workload that needs it.

Required delegated permissions across all workloads:

  • User.Read, Directory.Read.All - identity and tenant lookup
  • RoleManagement.Read.Directory - Entra directory roles
  • Sites.Read.All, Files.Read.All - SharePoint and OneDrive
  • Calendars.Read.Shared - mailbox calendar permissions
  • https://management.azure.com/user_impersonation - Azure RBAC
  • https://analysis.windows.net/powerbi/api/Tenant.Read.All - Power BI workspaces
  • https://service.flow.microsoft.com/User - Power Platform environments
  • 499b84ac-1321-427f-aa17-267ca6975798/user_impersonation - Azure DevOps

PermView does not write anything. It is a read-only viewer.

Debug log


      

    


    
    

      

        
About PermView

        
PermView is part of the LCToolkit by Lieben Consultancy. It gives you a fast, browser-only top-level view of who has permissions where across the most-used Microsoft cloud workloads. Pick a workload, point at an entity (a site, mailbox, subscription, workspace, environment, ...), and you get a flat table of principals, roles and scope.


        
Workloads covered

        
    
          
  • Entra ID - directory roles and their members
    • 
          
  • SharePoint site - app permissions (via Graph) + M365 group owners/members for group-backed sites
    • 
          
  • OneDrive - sharing on the drive root
    • 
          
  • Mailbox - Inbox folder permissions
    • 
          
  • Azure - subscription-scope role assignments
    • 
          
  • Azure DevOps - org-level security groups and members
    • 
          
  • Power BI - workspace role assignments
    • 
          
  • Power Platform - environment role assignments
    • 
        


        
What it does NOT do

        
PermView is intentionally shallow. It does not crawl subsites, libraries, items, mail folders below Inbox, resource-group RBAC, project-level Azure DevOps security, dataset RLS, app/flow sharing, conditional access, PIM eligibility, or anything else that would turn it into a real permissions audit tool. For that, use m365permissions.com.


        
Privacy

        
Tokens stay in your browser's local storage. PermView does not have a backend and does not phone home. The only outbound calls are to the Microsoft APIs needed to render the workload you picked.