Skip to main content

Netskope Help

Permissions Required for Microsoft 365

When you grant access to the Microsoft 365 app instance, Netskope seeks consent for the following permissions from the Microsoft 365 account:

Table 18. Permissions Required by Netskope for Microsoft 365

Permissions required by Netskope

Description

Purpose

Trade-off if not allowed

AzureAD permission: Directory.Read.All

Read directory data.

Retrieve users assets, complete O365Tenant asset metadata, and retrieve OAuth2PermissionGrant assets.

Certain rules related to assets like O365Tenant configuration, users, and OAuth2PermissionGrant will not be available.

AzureAD permission: RoleManagement.Read.Directory

Read role management data for Azure AD.

List global admin members.

Certain rules related to global admin members count will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to.

AzureAD permission: IdentityRiskEvent.Read.All

Read identity risk event information.

List identity risk events.

Certain rules related to identity risks will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to.

AzureAD permission: SecurityEvents.Read.All

Allow the app to read the organizations' security events on behalf of the signed-in user.

Retrieve secure score for the Office 365 tenant for the SecureScore asset.

Certain rules related to the SecureScore asset will not be available for O365Tenant assets.

AzureAD permission: DeviceManagementConfiguration.Read.All

Read Microsoft Intune device configuration and policies.

List device configurations and compliance policies.

Certain rules related to DeviceConfiguration and DeviceCompliancePolicy assets will not be available.

AzureAD permission: Policy.Read.All

Read the organizations' policies.

List conditional access policies.

Certain rules related to the ConditionalAccessPolicy asset will not be available.

AzureAD permission: Domain.Read.All

Read domains.

List and read Office 365 domains..

Certain rules related to the O365 asset will not be available.

AzureAD permission: Sites.Read.All

Read items in all site collections.

Retrieve SharePoint token to access the SharePoint API.

Certain rules related to the SharepointTenant asset will not be available.

Manage Exchange As Application permission: Exchange.ManageAsApp

Access Exchange data without user interaction.

Execute PowerShell cmdlets to retrieve global configuration settings.

Note

Only read-only PowerShell cmdlets are executable because the Global Reader role is assigned in Step 3: Add Azure AD Roles.

A significant number of global configuration settings will not be retrieved, including any setting retrieved by a PowerShell cmdlet.

Sharepoint app permissions: <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />

Gain full control over the SharePoint tenant.

Read the SharePoint tenant configuration data.

Certain rules related to the SharepointTenant asset will not be available and will always fail. Customers can mute such rules if they choose to.