Entra-ID Advanced Permissions

Setting Advanced Permissions

The following table summarizes permissions that Axonius requires to fetch various Entra ID resources.

Use this information to enable required permissions and to only apply necessary permissions.

Azure ServicePermissionsAdvanced Configuration
Last sign-in audit log informationAuditLog.Read.All Device.Read.AllFetch users Last Sign-In
Entra ID IntuneDeviceManagementApps.Read.All DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.Read.All DeviceManagementServiceConfig.Read.All Directory.Read.All (also for SaaS data)Fetch devices from Intune

Fetch software information from Intune
Allow for enriching Intune devices with their Security Baseline statesDeviceManagementConfiguration.ReadWrite.AllFetch Security Baseline Device States
Fetch Risky Users informationIdentityRiskyUser.Read.AllFetch risky users information
Fetch extra custom user flow attributes to be added dynamically to the User’s assets dataIdentityUserFlow.Read.AllFetch custom user flow attributes
Fetch usersUser.Read.AllDefault
Fetch authentication method (if the Allow use of Beta API endpoints setting is enabled)UserAuthenticationMethod.Read.AllFetch user authentication methods

If you enable this setting and have the additional Policy.Read.All permission, not only the adapter will fetch authentication methods, but also extra information regarding each authentication method’s status — whether they are enabled or disabled.
Group app rolesDirectory.Read.All or AppRoleAssignment.ReadWrite.AllFetch group app roles
Role dataDirectory.Read.AllFetch user app roles
User Contacts dataContacts.ReadFetch user contacts
Fetch password validity dataDomain.Read.AllDefault
Fetch Device Information Protection - Bitlocker Recovery KeyBitlockerKey.ReadBasic.AllFetch Device Information Protection - Bitlocker Recovery Key

Fetch Device Configuration Policy Settings for Bitlocker
Fetch mailbox settings for usersMailboxSettings.ReadFetch mailbox settings for users
Fetch claims policy for enterprise applicationsPolicy.ReadWrite.ApplicationConfigurationFetch claims policy for enterprise applications
Fetch the conditions created or enforced by the Entra ID configurationPolicy.Read.AllFetch Conditional Access Policies
Fetch information about Microsoft Apps UsageReports Reader roleFetch Microsoft apps reports

The following permissions are only for Axonius accounts with the Axonius SaaS Applications:

Azure ServicePermissionsAdvanced Configuration
Fetch Office365 activity endpoints (and SaaS data)Reports.Read.AllFetch date of last activity for M365 product
Allow fetching email activityReports.Read.AllFetch email activity from Office 365 in the last X days
Allow fetching licenses and application settingsGlobal.ReadFetch users license detail
Allow fetching extensions that Entra ID is granted permissions toFetch user extensions

Enforcement Action Permissions

To use the Entra ID Enforcement Actions, the following permissions are required:

Supported ResourceDelegatedApplication
deviceGroupMember.ReadWrite.All Device.ReadWrite.AllGroupMember.ReadWrite.All Device.ReadWrite.All
groupGroupMember.ReadWrite.All Group.ReadWrite.AllGroupMember.ReadWrite.All Group.ReadWrite.All
orgContactGroupMember.ReadWrite.All OrgContact.Read.AllGroupMember.ReadWrite.All OrgContact.Read.Al
groupGroupMember.ReadWrite.All Group.ReadWrite.AllGroupMember.ReadWrite.All Group.ReadWrite.All
servicePrincipalGroupMember.ReadWrite.All Application.ReadWrite.AllGroupMember.ReadWrite.All Application.ReadWrite.All
userGroupMember.ReadWrite.All User.ReadWrite.AllGroupMember.ReadWrite.All User.ReadWrite.All


Did this page help you?