✖

Minimum scope

The roles and permissions, or minimum scope, required by a service account configured for M365 Security Plus are listed below.

Roles and permissions required by the service account.

Module	Role Name	Scope
Reporting	Global Reader	Get reports on all Microsoft 365 services.
Reporting	Security Reader	Get audit logs and mailbox reports.
Auditing and alerting	Security Reader	Get audit logs and sign-in reports.
Monitoring	-	-
Content Search	-	-

Note:

If an Azure AD application is not configured for M365 Security Plus, the Service Support Administrator role is required for the Monitoring feature.
An Azure AD application needs to be configured for M365 Security Plus in order to use the Content Search feature.

The roles and permissions, or minimum scope, required by an Azure AD application configured for M365 Security Plus are listed below.

Module	API Name	Permission	Scope
Management	Microsoft Graph	User.ReadWrite.All	Create, modify, delete, or restore users.
Management	Microsoft Graph	Group.ReadWrite.All	Create, modify, delete, or restore groups. Add or remove group members and owners.
Reporting	Microsoft Graph	User.Read.All	Get user and group member reports.
		Group.Read.All	Get group reports.
		Contacts.Read	Get contact reports.
		Files.Read.All	Get OneDrive for Business reports.
		Reports.Read.All	Get usage reports.
		Organization.Read.All	Get license detail reports.
		AuditLog.Read.All	Get audit log-based reports.
	Office 365 Management	ActivityFeed.Read	Read the audit data for organization.
Auditing and Alerting	Microsoft Graph	AuditLog.Read.All	Get audit reports and alerts.
Monitoring	Office 365 Management APIs	ServiceHealth.Read	Get health and performance reports.
Content Search	Microsoft Graph	Mail.Read	Get content search reports.
Backup	Office 365 Exchange Online	full_access_as_app	Uses Exchange Web Services to backup and restore mailboxes.