Permissions Required for Microsoft 365
When you grant access to the Microsoft 365 app instance, Netskope seeks consent for the following permissions from the Microsoft 365 account:
Permissions required by Netskope | Description | Purpose | Trade-off if not allowed |
---|---|---|---|
AzureAD permission: Directory.Read.All | Read directory data. | Retrieve users assets, complete O365Tenant asset metadata, and retrieve OAuth2PermissionGrant assets. | Certain rules related to assets like O365Tenant configuration, users, and OAuth2PermissionGrant will not be available. |
AzureAD permission: RoleManagement.Read.Directory | Read role management data for Azure AD. | List global admin members. | Certain rules related to global admin members count will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to. |
AzureAD permission: IdentityRiskEvent.Read.All | Read identity risk event information. | List identity risk events. | Certain rules related to identity risks will not be available for O365Tenant assets and will always fail. Customers can mute such rules if they choose to. |
AzureAD permission: SecurityEvents.Read.All | Allow the app to read the organizations' security events on behalf of the signed-in user. | Retrieve secure score for the Office 365 tenant for the SecureScore asset. | Certain rules related to the SecureScore asset will not be available for O365Tenant assets. |
AzureAD permission: DeviceManagementConfiguration.Read.All | Read Microsoft Intune device configuration and policies. | List device configurations and compliance policies. | Certain rules related to DeviceConfiguration and DeviceCompliancePolicy assets will not be available. |
AzureAD permission: Policy.Read.All | Read the organizations' policies. | List conditional access policies. | Certain rules related to the ConditionalAccessPolicy asset will not be available. |
AzureAD permission: Domain.Read.All | Read domains. | List and read Office 365 domains.. | Certain rules related to the O365 asset will not be available. |
AzureAD permission: Sites.Read.All | Read items in all site collections. | Retrieve SharePoint token to access the SharePoint API. | Certain rules related to the SharepointTenant asset will not be available. |
Manage Exchange As Application permission: Exchange.ManageAsApp | Access Exchange data without user interaction. | Execute PowerShell cmdlets to retrieve global configuration settings. Note Only read-only PowerShell cmdlets are executable because the Global Reader role is assigned in Step 3: Add Azure AD Roles. | A significant number of global configuration settings will not be retrieved, including any setting retrieved by a PowerShell cmdlet. |
Sharepoint app permissions: <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> | Gain full control over the SharePoint tenant. | Read the SharePoint tenant configuration data. | Certain rules related to the SharepointTenant asset will not be available and will always fail. Customers can mute such rules if they choose to. |