The roles and permissions, or minimum scope, required by a service account configured for M365 Security Plus are listed below.
Table 1: Roles and permissions required by the service account.
|Management||User Administrator||Manage users, contacts, and groups.|
|Privileged Authentication Administrator||Reset passwords, and block or unblock administrators.|
|Privileged Role Admin||Manage role assignments in Azure Active Directory.|
|Exchange Administrator||Update mailbox properties.|
|Teams Service Admin||Manage Microsoft Teams.|
|Reporting||Global Reader||Get reports on all Microsoft 365 services.|
|Security Reader||Get audit logs and mailbox reports.|
|Auditing and alerting||Security Reader||Get audit logs and sign-in reports.|
The roles and permissions, or minimum scope, required by an Azure AD application configured for M365 Security Plus are listed below.
Table 2: Roles and permissions required by the Azure AD application.
|Management||Microsoft Graph||User.ReadWrite.All||Create, modify, delete, or restore users.|
|Group.ReadWrite.All||Create, modify, delete, or restore groups. Add or remove group members and owners.|
|Reporting||Microsoft Graph||User.Read.All||Get user and group member reports.|
|Group.Read.All||Get group reports.|
|Contacts.Read||Get contact reports.|
|Files.Read.All||Get OneDrive for Business reports.|
|Reports.Read.All||Get usage reports.|
|Organization.Read.All||Get license detail reports.|
|AuditLog.Read.All||Get audit log-based reports.|
|Azure Active Directory Graph||Domain.Read.All||Get domain-based reports.|
|Auditing and Alerting||Microsoft Graph||AuditLog.Read.All||Get audit reports and alerts.|
|Monitoring||Office 365 Management APIs||ServiceHealth.Read||Get health and performance reports.|
|Content Search||Microsoft Graph||Mail.Read||Get content search reports.|