Permissions Required for Microsoft 365

Permissions Required for Microsoft 365

When you grant access to the Microsoft 365 app instance, Netskope seeks consent for the following permissions from the Microsoft 365 account:

Permissions required by NetskopeDescriptionPurposeTrade-off if permission is not provided
Entra ID
Directory.Read.AllRead directory dataRetrieve users assets, complete O365Tenant asset metadata, and retrieve OAuth2PermissionGrant assets.Certain rules related to assets like O365Tenant configuration, users, and OAuth2PermissionGrant will not be available.
DeviceManagementManagedDevices.Read.AllRead Microsoft Intune devicesList Microsoft Intune managed devices.Certain rules related to the ManagedDevice asset will not be available for O365Tenant assets.
GroupMember.Read.AllRead Entra ID group member dataLists Entra ID group members.Certain rules related to the GroupMember asset will not be available for O365Tenant assets.
DeviceManagementApps.Read.AllRead Microsoft Intune device delta eventsRetrieve changes related to Microsoft Intune managed devices.Certain rules related to the ManagedDevice asset will not be available for O365Tenant assets.
AuditLog.Read.AllRead all audit log dataAllows the app to read and query your audit log activities, without a signed-in user.Unable to capture changes to the role assignments after the initial listing.
RoleManagement.Read.DirectoryRead role management data for Entra IDList global admin members.Certain rules related to global admin members count will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to.
IdentityRiskEvent.Read.AllRead identity risk event informationList identity risk events.Certain rules related to identity risks will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to.
SecurityEvents.Read.AllAllow the app to read the organizations’ security events on behalf of the signed-in userRetrieve secure score for the Office 365 tenant for the SecureScore asset.Certain rules related to the SecureScore asset will not be available for O365Tenant assets.
DeviceManagementConfiguration.Read.AllRead Microsoft Intune device configuration and policiesList device configurations and compliance policies.Certain rules related to DeviceConfiguration and DeviceCompliancePolicy assets will not be available.
Policy.Read.AllRead the organizations’ policiesList conditional access policies.Certain rules related to the ConditionalAccessPolicy asset will not be available.
Domain.Read.AllRead domainsList and read Office 365 domains..Certain rules related to the O365 asset will not be available.
Sites.Read.AllRead items in all site collectionsRetrieve SharePoint token to access the SharePoint API.Certain rules related to the SharepointTenant asset will not be available.
Exchange
Exchange.ManageAsAppAccess Exchange data without user interactionExecute PowerShell cmdlets to retrieve global configuration settings.

Note: Only read-only PowerShell cmdlets are executable because the Global Reader role is assigned in Step 2. Add Entra ID Roles.
A significant number of global configuration settings will not be retrieved, including any setting retrieved by a PowerShell cmdlet.
SharePoint
Sites.FullControl.AllNeed full control access to read data from SharePoint tenant configurationTenant API endpoints reside in the tenant admin site collection, which only tenant admin users or app principals with the `Sites.FullControl.All` permission can access. Although this permission grants full control, SSPM uses it solely for read actions on SharePoint.Certain rules related to the SharePointTenant asset will always fail and will not be available. Customers can choose to mute these rules if desired.
Share this Doc

Permissions Required for Microsoft 365

Or copy link

In this topic ...