The roles and permissions, or minimum scope, required by a service account configured for M365 Security Plus are listed below.
Table 1: Roles and permissions required by the service account.
| Module | Role Name | Scope |
| Reporting | Global Reader | Get reports on all Microsoft 365 services. |
| Security Reader | Get audit logs and mailbox reports. | |
| Auditing and alerting | Security Reader | Get audit logs and sign-in reports. |
| Monitoring | - | - |
| Content Search | - | - |
The roles and permissions, or minimum scope, required by an Azure AD application configured for M365 Security Plus are listed below.
Table 2: Roles and permissions required by the Azure AD application.
| Module | API Name | Permission | Scope |
| Management | Microsoft Graph | User.ReadWrite.All | Create, modify, delete, or restore users. |
| Group.ReadWrite.All | Create, modify, delete, or restore groups. Add or remove group members and owners. | ||
| Reporting | Microsoft Graph | User.Read.All | Get user and group member reports. |
| Group.Read.All | Get group reports. | ||
| Contacts.Read | Get contact reports. | ||
| Files.Read.All | Get OneDrive for Business reports. | ||
| Reports.Read.All | Get usage reports. | ||
| Organization.Read.All | Get license detail reports. | ||
| AuditLog.Read.All | Get audit log-based reports. | ||
| Office 365 Management | ActivityFeed.Read | Read the audit data for organization. | |
| Auditing and Alerting | Microsoft Graph | AuditLog.Read.All | Get audit reports and alerts. |
| Monitoring | Office 365 Management APIs | ServiceHealth.Read | Get health and performance reports. |
| Content Search | Microsoft Graph | Mail.Read | Get content search reports. |
| Configuration | Microsoft Graph | Application.ReadWrite.All | Modify the application details. |
