# Permissions Required When you run the permissions script during the installation process, you give the Microsoft Graph permissions below to a Managed Identity used by a Container App in the Managed Resource Group.
PermissionResource NameTypeReason
AuditLog.Read.All collector ApplicationAllows the app to read audit logs to monitor sign-ins and activities for security and compliance (read-only).
DeviceManagementManagedDevices.Read.All collector ApplicationAllows reading Intune-managed device inventory and status to support reporting and troubleshooting (read-only).
Directory.Read.All collector ApplicationAllows reading Azure AD directory data (users, groups, apps) to look up identities and relationships (read-only).
Domain.Read.All collector ApplicationAllows reading domain settings (read-only).
MailboxSettings.Read collector ApplicationAllows reading users’ mailbox settings (type; read-only; no mail access).
Policy.Read.All collector ApplicationAllows reading organization conditional access policies (read-only).
Synchronization.Read.Allcollector ApplicationAllows reading Azure AD synchronization information such as SCIM
DeviceManagementServiceConfig.Read.AllcollectorApplicationAllows reading Microsoft Intune service properties such as Autopilot info (read-only)
RoleEligibilitySchedule.Read.DirectorycollectorApplicationAllows reading all eligible role assignments and role schedules (read-only)
RoleAssignmentSchedule.Read.DirectorycollectorApplicationAllows reading all active role assignments and role schedules (read-only)
Directory.Read.All updater ApplicationAllows reading Azure AD directory data (users, groups, apps) to look up identities and relationships (read-only).
### Permissions Bsure have in your environment: To monitor jobs and provide updates and new features the solution provider Bsure will be given contributor and owner access during installation to the Managed Resource Group inside the managed application.