Permissions Required
by the Bsure Insights Data Collector Managed Application
When you run the permissions script during the installation process, you give the Microsoft Graph permissions below to a Managed Identity used by a Container App in the Managed Resource Group.
AuditLog.Read.All
collector
Application
Allows the app to read audit logs to monitor sign-ins and activities for security and compliance (read-only).
DeviceManagementManagedDevices.Read.All
collector
Application
Allows reading Intune-managed device inventory and status to support reporting and troubleshooting (read-only).
Directory.Read.All
collector
Application
Allows reading Azure AD directory data (users, groups, apps) to look up identities and relationships (read-only).
Domain.Read.All
collector
Application
Allows reading domain settings (read-only).
MailboxSettings.Read
collector
Application
Allows reading users’ mailbox settings (type; read-only; no mail access).
Policy.Read.All
collector
Application
Allows reading organization conditional access policies (read-only).
Synchronization.Read.All
collector
Application
Allows reading Azure AD synchronization information such as SCIM
DeviceManagementServiceConfig.Read.All
collector
Application
Allows reading Microsoft Intune service properties such as Autopilot info (read-only)
RoleEligibilitySchedule.Read.Directory
collector
Application
Allows reading all eligible role assignments and role schedules (read-only)
RoleAssignmentSchedule.Read.Directory
collector
Application
Allows reading all active role assignments and role schedules (read-only)
Directory.Read.All
updater
Application
Allows reading Azure AD directory data (users, groups, apps) to look up identities and relationships (read-only).
Permissions Bsure have in your environment:
To monitor jobs and provide updates and new features the solution provider Bsure will be given contributor and owner access during installation to the Managed Resource Group inside the managed application.
Last updated
Was this helpful?