Views:
Identity Security uses data from Microsoft Entra ID for identity asset discovery and identity exposure management. The following table lists the Microsoft Entra ID data used by Identity Security and the permissions used to obtain data.
Note
Note
  • Identity Security uses Microsoft Graph API to obtain data from Microsoft Entra ID. All the permissions used by Identity Security are application permissions that allows Identity Security to access resources without requiring a signed-in user. All the permissions require admin consent.
  • Identity Security uses the least privileged permissions necessary to collect data. When a permission required for certain data also grants access to additional data, Identity Security uses this permission instead of requesting a separate, more specific permission for the additional data.

Category
Data
Permission Used
User
Users' properties and relationships
User.Read.All
Sign in
User sign-in activity
AuditLog.Read.All
Attributes related to applied conditional access policy or policies that are triggered by a sign-in activity
Policy.Read.All
Directory audit
Directory audit logs
AuditLog.Read.All
Directory.Read.All
Message rule
Rules that apply to messages in the Inboxes of users
MailboxSettings.Read
Directory role
Directory roles that are activated in the tenant and their members
Directory.Read.All
Group
Group information, including:
  • All the groups available in an organization
  • Properties and relationships of groups
  • Members in groups
Directory.Read.All
Group.Read.All
Service principal
Service principal information, including:
  • Instances of applications in a directory
  • Delegated permissions that have been granted to an application's service principal
Directory.Read.All
Conditional access policy
Properties and relationships of conditional access policies
Policy.Read.All
Organization
Properties and relationships of organizations
Organization.Read.All
Place
Basic location attributes such as name, physical address, and geographic coordinates
Place.Read.All