Minimum scope

The roles and permissions, or minimum scope, required by a service account configured for M365 Security Plus are listed below.

Table 1: Roles and permissions required by the service account.

Module Role Name Scope
Reporting Global Reader Get reports on all Microsoft 365 services.
Security Reader Get audit logs and mailbox reports.
Auditing and alerting Security Reader Get audit logs and sign-in reports.
Monitoring - -
Content Search - -
 
Note:
  • If an Azure AD application is not configured for M365 Security Plus, the Service Support Administrator role is required for the Monitoring feature.
  • An Azure AD application needs to be configured for M365 Security Plus in order to use the Content Search feature.

The roles and permissions, or minimum scope, required by an Azure AD application configured for M365 Security Plus are listed below.

Table 2: Roles and permissions required by the Azure AD application.

Module API Name Permission Scope
Management Microsoft Graph User.ReadWrite.All Create, modify, delete, or restore users.
Group.ReadWrite.All Create, modify, delete, or restore groups. Add or remove group members and owners.
Reporting Microsoft Graph User.Read.All Get user and group member reports.
Group.Read.All Get group reports.
Contacts.Read Get contact reports.
Files.Read.All Get OneDrive for Business reports.
Reports.Read.All Get usage reports.
Organization.Read.All Get license detail reports.
AuditLog.Read.All Get audit log-based reports.
Office 365 Management ActivityFeed.Read Read the audit data for organization.
Auditing and Alerting Microsoft Graph AuditLog.Read.All Get audit reports and alerts.
Monitoring Office 365 Management APIs ServiceHealth.Read Get health and performance reports.
Content Search Microsoft Graph Mail.Read Get content search reports.
Configuration Microsoft Graph Application.ReadWrite.All Modify the application details.
Get download link