Fix read permission steps

Author: PatAltimore

articles/blockchain/workbench/deploy.md

@@ -170,7 +170,7 @@ If you choose to manually configure or verify Azure AD settings prior to deploym
 
 ### Blockchain Workbench API app registration
 
-Blockchain Workbench deployment requires registration of an Azure AD application. You need an Azure Active Directory (Azure AD) tenant to register the app. You can use an existing tenant or create a new tenant. If you are using an existing Azure AD tenant, you need sufficient permissions to register applications, grant Graph API permissions, and allow guest access within an Azure AD tenant. If you do not have sufficient permissions in an existing Azure AD tenant create a new tenant.
+Blockchain Workbench deployment requires registration of an Azure AD application. You need an Azure Active Directory (Azure AD) tenant to register the app. You can use an existing tenant or create a new tenant. If you are using an existing Azure AD tenant, you need sufficient permissions to register applications, grant Graph API permissions, and allow guest access within an Azure AD tenant. If you do not have sufficient permissions in an existing Azure AD tenant, create a new tenant.
 
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
@@ -190,7 +190,7 @@ Blockchain Workbench deployment requires registration of an Azure AD application
 Next, you need to modify the manifest to use application roles within Azure AD to specify Blockchain Workbench administrators.  For more information about application manifests, see [Azure Active Directory application manifest](../../active-directory/develop/reference-app-manifest.md).
 
 
-1. You need to generate a GUID for the manifest. You can generate a GUID using the PowerShell command `[guid]::NewGuid()` or `New-GUID` cmdlet. Another option is to use a GUID generator website.
+1. A GUID is required for the manifest. You can generate a GUID using the PowerShell command `[guid]::NewGuid()` or `New-GUID` cmdlet. Another option is to use a GUID generator website.
 1. For the application you registered, select **Manifest** in the **Manage** section.
 1. Next, update the **appRoles** section of the manifest. Replace `"appRoles": []` with the provided JSON. Be sure to replace the value for the **id** field with the GUID you generated. 
 
@@ -228,8 +228,15 @@ Next, you need to modify the manifest to use application roles within Azure AD t
 The API application needs to request permission from the user to access the directory. Set the following required permission for the API application:
 
 1. In the *Blockchain API* app registration, select **API permissions**. By default, the Graph API **User.Read** permission is added.
+1. The Workbench application requires read access to users' basic profile information. In *Configured permissions*, select **Add a permission**. In *Microsoft APIs**, select **Microsoft Graph**.
+1. Since the Workbench application uses the authenticated user credentials, select **Delegated permissions**.
+1. In the *User* category, choose **User.ReadBasic.All** permission.
 
-1. In **Grant consent**, select **Grant admin consent** for the domain then select **Yes** for the verification prompt.
+    ![Azure AD app registration configuration showing adding the Microsoft Graph User.ReadBasic.All delegated permission](media/deploy/add-graph-user-permission.png)
+
+    Select **Add permissions**.
+
+1. In *Configured permissions*, select **Grant admin consent** for the domain then select **Yes** for the verification prompt.
 
    ![Grant permissions](media/deploy/client-app-grant-permissions.png)