Permissions Required for Microsoft 365
Permissions Required for Microsoft 365
When you grant access to the Microsoft 365 app instance, Netskope seeks consent for the following permissions from the Microsoft 365 account:
Permissions Required by Netskope for Microsoft 365
| Permissions required by Netskope | Description | Purpose | Trade-off if not allowed |
|---|---|---|---|
| AzureAD permission: Directory.Read.All | Read directory data | Retrieve users assets, complete O365Tenant asset metadata, and retrieve OAuth2PermissionGrant assets. | Certain rules related to assets like O365Tenant configuration, users, and OAuth2PermissionGrant will not be available. |
| AzureAD permission:DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices | List Microsoft Intune managed devices. | Certain rules related to the ManagedDevice asset will not be available for O365Tenant assets. |
| AzureAD permission:GroupMember.Read.All | Read AzureAD group member data | Lists AzureAD group members. | Certain rules related to the GroupMember asset will not be available for O365Tenant assets. |
| AzureAD permission:DeviceManagementApps.Read.All | Read Microsoft Intune device delta events | Retrieve changes related to Microsoft Intune managed devices. | Certain rules related to the ManagedDevice asset will not be available for O365Tenant assets. |
| AzureAD permission: AuditLog.Read.All | Read all audit log data | Allows the app to read and query your audit log activities, without a signed-in user. | Unable to capture changes to the role assignments after the initial listing. |
| AzureAD permission: RoleManagement.Read.Directory | Read role management data for Azure AD | List global admin members. | Certain rules related to global admin members count will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to. |
| AzureAD permission: IdentityRiskEvent.Read.All | Read identity risk event information | List identity risk events. | Certain rules related to identity risks will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to. |
| AzureAD permission: SecurityEvents.Read.All | Allow the app to read the organizations’ security events on behalf of the signed-in user | Retrieve secure score for the Office 365 tenant for the SecureScore asset. | Certain rules related to the SecureScore asset will not be available for O365Tenant assets. |
| AzureAD permission: DeviceManagementConfiguration.Read.All | Read Microsoft Intune device configuration and policies | List device configurations and compliance policies. | Certain rules related to DeviceConfiguration and DeviceCompliancePolicy assets will not be available. |
| AzureAD permission: Policy.Read.All | Read the organizations’ policies | List conditional access policies. | Certain rules related to the ConditionalAccessPolicy asset will not be available. |
| AzureAD permission: Domain.Read.All | Read domains | List and read Office 365 domains.. | Certain rules related to the O365 asset will not be available. |
| AzureAD permission: Sites.Read.All | Read items in all site collections | Retrieve SharePoint token to access the SharePoint API. | Certain rules related to the SharepointTenant asset will not be available. |
| Manage Exchange As Application permission: Exchange.ManageAsApp | Access Exchange data without user interaction | Execute PowerShell cmdlets to retrieve global configuration settings. Note Only read-only PowerShell cmdlets are executable because the Global Reader role is assigned in Step 3: Add Azure AD Roles. | A significant number of global configuration settings will not be retrieved, including any setting retrieved by a PowerShell cmdlet. |
| Sharepoint app permissions: <AppPermissionRequest Scope=”http://sharepoint/content/tenant” Right=”FullControl” /> | Gain full control over the SharePoint tenant | Read the SharePoint tenant configuration data. | Certain rules related to the SharepointTenant asset will not be available and will always fail. Customers can mute such rules if they choose to. |
