Entra-ID Advanced Permissions

Setting Advanced Permissions

The following table summarizes permissions that Axonius requires to fetch various Entra ID resources.

Use this information to enable required permissions and to only apply necessary permissions.

Azure Service	Permissions	Advanced Configuration
Last sign-in audit log information	`AuditLog.Read.All` `Device.Read.All`	Fetch users Last Sign-In
Entra ID Intune	`DeviceManagementApps.Read.All` `DeviceManagementConfiguration.Read.All` `DeviceManagementManagedDevices.Read.All` `DeviceManagementServiceConfig.Read.All` `Directory.Read.All` (also for SaaS data)	Fetch devices from Intune Fetch software information from Intune
Allow for enriching Intune devices with their Security Baseline states	`DeviceManagementConfiguration.ReadWrite.All`	Fetch Security Baseline Device States
Fetch Risky Users information	`IdentityRiskyUser.Read.All`	Fetch risky users information
Fetch extra custom user flow attributes to be added dynamically to the User’s assets data	`IdentityUserFlow.Read.All`	Fetch custom user flow attributes
Fetch users	`User.Read.All`	Default
Fetch authentication method (if the Allow use of Beta API endpoints setting is enabled)	`UserAuthenticationMethod.Read.All`	Fetch user authentication methods If you enable this setting and have the additional `Policy.Read.All` permission, not only the adapter will fetch authentication methods, but also extra information regarding each authentication method’s status — whether they are enabled or disabled.
MCAS data	`SecurityEvents.Read.All` `SecurityEvents.ReadWrite.All` `Investigation.Read`
Group app roles	`Directory.Read.All` or `AppRoleAssignment.ReadWrite.All`	Fetch group app roles
Role data	`Directory.Read.All` `RoleManagement.Read.All`	Fetch user app roles
User Contacts data	`Contacts.Read`	Fetch user contacts
Fetch password validity data	`Domain.Read.All`	Default
Fetch Device Information Protection - Bitlocker Recovery Key	`BitlockerKey.ReadBasic.All`	Fetch Device Information Protection - Bitlocker Recovery Key Fetch Device Configuration Policy Settings for Bitlocker
Fetch mailbox settings for users	`MailboxSettings.Read`	Fetch mailbox settings for users
Fetch claims policy for enterprise applications	`Policy.ReadWrite.ApplicationConfiguration`	Fetch claims policy for enterprise applications
Fetch the conditions created or enforced by the Entra ID configuration	`Policy.Read.All`	Fetch Conditional Access Policies

The following permissions are only for Axonius accounts with the Axonius SaaS Applications:

Azure Service	Permissions	Advanced Configuration
Fetch Office365 activity endpoints (and SaaS data)	`AuditLog.Read.All`	Fetch date of last activity for M365 product
Allow fetching email activity	`Reports.Read.All`	Fetch email activity from Office 365 in the last X days
Allow fetching licenses and application settings	`Global.Read`	Fetch users license detail
Allow fetching extensions that Entra ID is granted permissions to		Fetch user extensions

Enforcement Action Permissions

To use the Entra ID Enforcement Actions, the following permissions are required:

Supported Resource	Delegated	Application
device	`GroupMember.ReadWrite.All` `Device.ReadWrite.All`	`GroupMember.ReadWrite.All` `Device.ReadWrite.All`
group	`GroupMember.ReadWrite.All` `Group.ReadWrite.All`	`GroupMember.ReadWrite.All` `Group.ReadWrite.All`
orgContact	`GroupMember.ReadWrite.All` `OrgContact.Read.All`	`GroupMember.ReadWrite.All` `OrgContact.Read.Al`
group	`GroupMember.ReadWrite.All` `Group.ReadWrite.All`	`GroupMember.ReadWrite.All` `Group.ReadWrite.All`
servicePrincipal	`GroupMember.ReadWrite.All` `Application.ReadWrite.All`	`GroupMember.ReadWrite.All` `Application.ReadWrite.All`
user	`GroupMember.ReadWrite.All` `User.ReadWrite.All`	`GroupMember.ReadWrite.All` `User.ReadWrite.All`

Updated about 3 hours ago