Permissions Required for Microsoft 365
Permissions Required for Microsoft 365
When you grant access to the Microsoft 365 app instance, Netskope seeks consent for the following permissions from the Microsoft 365 account:
Permissions required by Netskope | Description | Purpose | Trade-off if permission is not provided |
---|---|---|---|
Entra ID | |||
Directory.Read.All | Read directory data | Retrieve users assets, complete O365Tenant asset metadata, and retrieve OAuth2PermissionGrant assets. | Certain rules related to assets like O365Tenant configuration, users, and OAuth2PermissionGrant will not be available. |
DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices | List Microsoft Intune managed devices. | Certain rules related to the ManagedDevice asset will not be available for O365Tenant assets. |
GroupMember.Read.All | Read Entra ID group member data | Lists Entra ID group members. | Certain rules related to the GroupMember asset will not be available for O365Tenant assets. |
DeviceManagementApps.Read.All | Read Microsoft Intune device delta events | Retrieve changes related to Microsoft Intune managed devices. | Certain rules related to the ManagedDevice asset will not be available for O365Tenant assets. |
AuditLog.Read.All | Read all audit log data | Allows the app to read and query your audit log activities, without a signed-in user. | Unable to capture changes to the role assignments after the initial listing. |
RoleManagement.Read.Directory | Read role management data for Entra ID | List global admin members. | Certain rules related to global admin members count will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to. |
IdentityRiskEvent.Read.All | Read identity risk event information | List identity risk events. | Certain rules related to identity risks will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to. |
SecurityEvents.Read.All | Allow the app to read the organizations’ security events on behalf of the signed-in user | Retrieve secure score for the Office 365 tenant for the SecureScore asset. | Certain rules related to the SecureScore asset will not be available for O365Tenant assets. |
DeviceManagementConfiguration.Read.All | Read Microsoft Intune device configuration and policies | List device configurations and compliance policies. | Certain rules related to DeviceConfiguration and DeviceCompliancePolicy assets will not be available. |
Policy.Read.All | Read the organizations’ policies | List conditional access policies. | Certain rules related to the ConditionalAccessPolicy asset will not be available. |
Domain.Read.All | Read domains | List and read Office 365 domains.. | Certain rules related to the O365 asset will not be available. |
Sites.Read.All | Read items in all site collections | Retrieve SharePoint token to access the SharePoint API. | Certain rules related to the SharepointTenant asset will not be available. |
Exchange | |||
Exchange.ManageAsApp | Access Exchange data without user interaction | Execute PowerShell cmdlets to retrieve global configuration settings. Note: Only read-only PowerShell cmdlets are executable because the Global Reader role is assigned in Step 2. Add Entra ID Roles. | A significant number of global configuration settings will not be retrieved, including any setting retrieved by a PowerShell cmdlet. |
SharePoint | |||
Sites.FullControl.All | Need full control access to read data from SharePoint tenant configuration | Tenant API endpoints reside in the tenant admin site collection, which only tenant admin users or app principals with the `Sites.FullControl.All` permission can access. Although this permission grants full control, SSPM uses it solely for read actions on SharePoint. | Certain rules related to the SharePointTenant asset will always fail and will not be available. Customers can choose to mute these rules if desired. |