Required Permissions
Microsoft Graph API permissions required by Securtea
Required Permissions
Securtea requires specific Microsoft Graph API permissions to monitor your Microsoft 365 environment. All permissions are read-only.
Permission Overview
Permission Types
Microsoft Graph has two permission types:
| Type | Description | Used By |
|---|---|---|
| Delegated | Act as signed-in user | Not used by Securtea |
| Application | Act as the app itself | All Securtea access |
Securtea uses only Application permissions, meaning it accesses data directly without impersonating users.
Read-Only Access
All Securtea permissions are read-only:
- Cannot modify configurations
- Cannot create or delete objects
- Cannot send emails or messages
- Cannot access user content
Required Permissions
Core Permissions
These permissions are required for basic functionality:
| Permission | Purpose |
|---|---|
User.Read.All | Read user profiles and MFA status |
Directory.Read.All | Read directory objects and settings |
Group.Read.All | Read group configurations |
Security Permissions
Required for security monitoring:
| Permission | Purpose |
|---|---|
SecurityEvents.Read.All | Access security alerts and events |
Policy.Read.All | Read Conditional Access policies |
RoleManagement.Read.Directory | Read admin role assignments |
Optional Permissions
Enhanced monitoring capabilities:
| Permission | Purpose | Feature |
|---|---|---|
Mail.Read | Read mail flow rules | Email protection monitoring |
MailboxSettings.Read | Read mailbox configurations | Exchange monitoring |
Sites.Read.All | Read SharePoint settings | SharePoint monitoring |
Optional permissions enable additional monitoring features. Add them based on what you want to monitor.
Permission Details
User.Read.All
What it accesses:
- User profile information
- Sign-in activity
- MFA registration status
- License assignments
Why needed:
- Assess MFA compliance
- Check user security settings
- Monitor admin accounts
Directory.Read.All
What it accesses:
- Organization settings
- Domain information
- Directory objects
- Application registrations
Why needed:
- Organizational security settings
- Tenant configuration
- App permissions review
SecurityEvents.Read.All
What it accesses:
- Security alerts
- Risk events
- Threat indicators
Why needed:
- Security event correlation
- Compliance assessment
- Risk monitoring
Policy.Read.All
What it accesses:
- Conditional Access policies
- Authentication methods policies
- Authorization policies
- Identity protection policies
Why needed:
- Access control assessment
- Authentication configuration
- Policy compliance checking
Group.Read.All
What it accesses:
- Security groups
- Microsoft 365 groups
- Group membership
- Group settings
Why needed:
- Group-based access review
- Security group monitoring
- Membership compliance
RoleManagement.Read.Directory
What it accesses:
- Directory role definitions
- Role assignments
- Privileged access
Why needed:
- Admin role monitoring
- Privileged access review
- Least privilege assessment
Granting Permissions
Admin Consent Required
Application permissions require admin consent:
- Global Administrator grants consent
- Or Application Administrator for app permissions
- Consent applies tenant-wide
Consent Process
To grant consent:
- Open app registration
- Go to API permissions
- Click Grant admin consent
- Confirm with Yes
Verifying Consent
After granting:
- Green checkmarks appear next to permissions
- Status shows "Granted for [organization]"
- No user consent prompts needed
Security Considerations
Principle of Least Privilege
Securtea requests minimum required permissions:
- Only read access
- No modification capabilities
- No user impersonation
Permission Scope
Understand what permissions allow:
| Permission | Can Access | Cannot Access |
|---|---|---|
| User.Read.All | User profiles | Email content |
| Directory.Read.All | Directory settings | User passwords |
| Policy.Read.All | Policy configurations | Policy enforcement |
Auditing Access
Monitor Securtea's access:
- Azure AD sign-in logs
- Microsoft Graph activity logs
- Securtea activity audit
Removing Permissions
Revoking Access
To remove Securtea's access:
- Go to Azure AD > App registrations
- Find Securtea app
- Delete app registration
Or remove specific permissions:
- Open app registration
- Go to API permissions
- Remove individual permissions
Removing required permissions will break Securtea functionality. Only remove if disconnecting the integration.
What's Next?
- App Registration - Setup guide
- Troubleshooting - Permission issues
- Microsoft 365 Overview - Integration features