M365 Integration & Permissions (Scopes)
Integration Requirements
The integration account requires Global Admin privileges, a valid license with mailbox.
User Management will send emails through your integration account for actions such as password resets, account creations, mailbox delegation, etc.
Permission Scopes
Augmentt uses a least-privilege approach to the permissions it requests for integration. With that said, Augmentt does many things and requires a wide range of scopes to accomplish these.
Below is a list of all the permissions we collect from a user and how Augmentt uses them in product.
Graph API
Scope Name | Permission name | Description | Augmentt Use |
Application.ReadWrite.All | Read and write applications | Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. | Used to get and store a list of applications in use by the tenant for use in our Conditional Access Policy management within Secure under Admin Mfa and User Mfa configuration section. |
AuditLog.Read.All | Read audit log data | Allows the app to read and query your audit log activities, on behalf of the signed-in user. | Used to get the current state of the unified audit log for use for Security Posture within Secure see Unified Audit Log posture item. |
Directory.AccessAsUser.All | Access the directory as you | Allows the app to have the same access to information in the directory as the signed-in user. | Impersonation as the user. Gives ability to delete a user or group. |
Directory.Read.All | Read directory data | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. | Retrieval of users, groups, roles, licenses in use by the tenant. |
Read identity risk event information | Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user. | We pull risk detections directly from microsoft and process them for alerting. Alerts are displayed in Threat Alerts. | |
Read identity risky user information | Allows the app to read identity user risk information for all users in your organization on behalf of the signed-in user. | We pull a list of risky users that are stored and used in Secure in the Threat Report for display under Risk Detections. | |
Mail.Send | Send mail as you | Allows the app to send mail as users in the organization. | We use this exclusively within User Management in the Reset Password Action for sending password reset to end user on behalf of the admin. |
Read organization information | Allows the app to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. | Used for getting Organization related data, Used by Secure for anywhere that uses roles, licenses or groups. Organizational Branding is used for the Login Portal Branding security posture item. | |
Policy.Read.All | Read your organization’s policies | Allows the app to read your organization's policies on behalf of the signed-in user. | Security Posture for Secure : including Risky Country Policies, Risky Ip Policies. |
Policy.ReadWrite.ConditionalAccess | Read and write your organization’s conditional access policies | Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user. | Secure Retrieve a list of Conditional Access policies for Secure for Admin and User MFA configuration. Secure Edit/Create new/existing Conditional Access policies for Secure through Admin/User mfa configuration. Engage Augmentt-do-no-modify-policy creation for managing user MFA. |
Reports.Read.All | Read all usage reports | Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory. | We pull selfPasswordResetEnabled state for Secure at both the tenant and user level for use in Security Posture > Self Service Password Reset. |
Read your organization’s security events | Allows the app to read your organization’s security events on behalf of the signed-in user. | Used for pulling for Secure : Secure score, getting risky sign-in events | |
Sign you in and read your profile | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | Access the user details, mfa statuses, groups, licences etc for use in Secure and User Management. | |
User.Read.All | Read all user’s full profiles | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. | Get a list of users for a tenant, so we can sync them with Augmentt and create employees in the Augmentt platform. |
Read all user’s authentication methods | Allows the app to read the signed-in user's authentication methods, including phone numbers and Authenticator app settings. | Used to retrieve authentication methods that are in use by the user. Used for secure on the mfa authentication report. | |
profile | Read your profile | View users' basic profile. Allows the app to see your users' basic profile (name, picture, user name). | Used for initial integration process. |
openid | Maintain access to data you have given access to | By using this permission, an app can receive a unique identifier for the user in the form of the sub claim. The permission also gives the app access to the UserInfo endpoint. The openid scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication. | Used for continuous integration and session management. Signing user in. |
Read your signed in user’s email address | Allows the app to read your users' primary email address. | Used for initial integration process. |
Exchange Online (Powershell) API
Scope Name | Description | Augmentt Use |
profile | View users' basic profile. Allows the app to see your users' basic profile (name, picture, user name). | Used for initial integration process. |
openid | By using this permission, an app can receive a unique identifier for the user in the form of the sub claim. The permission also gives the app access to the UserInfo endpoint. The openid scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication. | Used for continuous integration and session management. Signing user in. |
Allows the app to read your users' primary email address. | Used for initial integration process. | |
user_impersonation | Gives us full access to any and all powershell commands as the signed in user (aka usually the admin). | Used by our powershell scripts to access the below data or take actions.
|