Minimum scope

Roles required for an Entra application

The roles required by an Entra application configured for M365 Security Plus are listed below.

Table 1: Roles required by the configured Entra application.

Role Name Scope
Privileged Authentication Administrator Create, manage, and delete users and their authentication methods.
Helpdesk Administrator Change passwords, invalidate refresh tokens, and monitor service health.
Exchange Administrator Create, manage, and delete Exchange Online mailboxes.

Permissions required for an Entra application

The permissions required by an Entra application configured for M365 Security Plus are listed below.

Table 2: Permissions required by the configured Entra application.

Module API Name Permission Scope
Auditing and alerting Office 365 Management ActivityFeed.Read Read the activity data for the organization.
Exchange Online Exchange.ManageAsApp Used to execute Exchange Online PowerShell cmdlets via the configured Entra application
SharePoint Online InformationProtectionPolicy.Read.All

(not available in Azure China tenants)

 Get data on published sensitivity labels used in the tenant.
Monitoring Microsoft Graph ServiceHealth.Read.All Get health and performance reports.
Content search Microsoft Graph Mail.Read Get content search reports.
Configuration Microsoft Graph Application.ReadWrite.All Modify the application details.
Backup Office 365 Exchange Online full_access_as_app Use Exchange Web Services to back up and restore mailboxes.
Navigate to next Previous Topic Next Topic Navigate to next

Don't see what you're looking for?

  •  

    Visit our community

    Post your questions in the forum.

     
  •  

    Request additional resources

    Send us your requirements.

     
  •  

    Need implementation assistance?

    Try onboarding

     

Copyright © 2023, ZOHO Corp. All Rights Reserved.