Docy

Permissions Required for Microsoft 365

Permissions Required for Microsoft 365

When you grant access to the Microsoft 365 app instance, Netskope seeks consent for the following permissions from the Microsoft 365 account:

Permissions Required by Netskope for Microsoft 365
Permissions required by NetskopeDescriptionPurposeTrade-off if not allowed
AzureAD permission: Directory.Read.AllRead directory dataRetrieve users assets, complete O365Tenant asset metadata, and retrieve OAuth2PermissionGrant assets.Certain rules related to assets like O365Tenant configuration, users, and OAuth2PermissionGrant will not be available.
AzureAD permission:DeviceManagementManagedDevices.Read.AllRead Microsoft Intune devicesList Microsoft Intune managed devices.Certain rules related to the ManagedDevice asset will not be available for O365Tenant assets.
AzureAD permission:GroupMember.Read.AllRead AzureAD group member dataLists AzureAD group members.Certain rules related to the GroupMember asset will not be available for O365Tenant assets.
AzureAD permission:DeviceManagementApps.Read.AllRead Microsoft Intune device delta eventsRetrieve changes related to Microsoft Intune managed devices.Certain rules related to the ManagedDevice asset will not be available for O365Tenant assets.
AzureAD permission: AuditLog.Read.AllRead all audit log dataAllows the app to read and query your audit log activities, without a signed-in user.Unable to capture changes to the role assignments after the initial listing.
AzureAD permission: RoleManagement.Read.DirectoryRead role management data for Azure ADList global admin members.Certain rules related to global admin members count will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to.
AzureAD permission: IdentityRiskEvent.Read.AllRead identity risk event informationList identity risk events.Certain rules related to identity risks will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to.
AzureAD permission: SecurityEvents.Read.AllAllow the app to read the organizations’ security events on behalf of the signed-in userRetrieve secure score for the Office 365 tenant for the SecureScore asset.Certain rules related to the SecureScore asset will not be available for O365Tenant assets.
AzureAD permission: DeviceManagementConfiguration.Read.AllRead Microsoft Intune device configuration and policiesList device configurations and compliance policies.Certain rules related to DeviceConfiguration and DeviceCompliancePolicy assets will not be available.
AzureAD permission: Policy.Read.AllRead the organizations’ policiesList conditional access policies.Certain rules related to the ConditionalAccessPolicy asset will not be available.
AzureAD permission: Domain.Read.AllRead domainsList and read Office 365 domains..Certain rules related to the O365 asset will not be available.
AzureAD permission: Sites.Read.AllRead items in all site collectionsRetrieve SharePoint token to access the SharePoint API.Certain rules related to the SharepointTenant asset will not be available.
Manage Exchange As Application permission: Exchange.ManageAsAppAccess Exchange data without user interactionExecute PowerShell cmdlets to retrieve global configuration settings.

Note

Only read-only PowerShell cmdlets are executable because the Global Reader role is assigned in Step 3: Add Azure AD Roles.

A significant number of global configuration settings will not be retrieved, including any setting retrieved by a PowerShell cmdlet.
Sharepoint app permissions: <AppPermissionRequest Scope=”http://sharepoint/content/tenant” Right=”FullControl” />Gain full control over the SharePoint tenantRead the SharePoint tenant configuration data.Certain rules related to the SharepointTenant asset will not be available and will always fail. Customers can mute such rules if they choose to.


Share this Doc
In this topic ...