M365 Service Principle
Permissions for the M365 service principle
This document specifies the exact permissions required for each service principal PAA uses. Granting more than the listed permissions is unnecessary. Granting less will cause partial or complete scan failures.
Microsoft 365 / Graph Service Principal
Purpose
Used by Zero Trust Assessment, M365 Security scanning (CIS, CISA SCuBA, EIDSCA, Maester), and Identity Security scanning (service principal risks, managed identities, guest users, application registrations).
Where to Configure
Settings > Microsoft 365
Required Microsoft Graph Application Permissions
All permissions listed below are application permissions (not delegated). They must be granted admin consent.
| Permission | Used For |
|---|---|
Policy.Read.All | Conditional Access policies, authentication methods, authorization policies |
Directory.Read.All | Entra ID directory roles, service principals, application registrations, managed identities, guest users, group memberships |
SecurityEvents.Read.All | Microsoft Defender security alerts and incidents |
DeviceManagementConfiguration.Read.All | Intune device compliance policies, configuration profiles |
DeviceManagementApps.Read.All | Intune app protection policies, managed applications |
DeviceManagementManagedDevices.Read.All | Intune managed device enrollment and compliance status |
SecurityIncident.Read.All | Microsoft Defender XDR security incidents |
SharePointTenantSettings.Read.All | SharePoint sharing settings, external sharing configuration |
AuditLog.Read.All | Guest user last sign-in activity (stale external user detection) |
All nine permissions are required for complete data collection. Missing permissions will result in partial scan results — PAA will log which data areas failed but will continue with available data.
How to Create the Service Principal
- In Azure Portal, open Microsoft Entra ID > App Registrations > New Registration
- Name it (e.g.,
paa-m365-scanner) and register - Under API Permissions, click Add a Permission > Microsoft Graph > Application Permissions
- Add each permission listed in the table above
- Click Grant Admin Consent — this step is required; without it, no permissions are active
- Under Certificates & Secrets, create a new Client Secret. Note the value immediately
- Note the Application (client) ID and Directory (tenant) ID
- In PAA Settings > Microsoft 365, enter the M365 Tenant ID, Client ID, and Client Secret, then click Validate & Test Connection
PAA’s Test Connection function verifies the credentials and checks which required permissions have been granted. It will report any missing permissions before you attempt a scan.
What PAA Does with This Service Principal
| Feature | Data Collected | Permissions Used |
|---|---|---|
| Zero Trust — Identity pillar | Conditional Access policies, named locations, authentication methods, directory role memberships, PIM configuration | Policy.Read.All, Directory.Read.All |
| Zero Trust — Devices pillar | Device compliance policies, app protection policies, Autopilot profiles, EDR status | DeviceManagementConfiguration.Read.All, DeviceManagementApps.Read.All, DeviceManagementManagedDevices.Read.All |
| Zero Trust — Data pillar | SharePoint sharing settings, Teams governance, sensitivity label policies, DLP policies | SharePointTenantSettings.Read.All, Policy.Read.All |
| Zero Trust — Security Operations pillar | Unified audit log status, Secure Score, Defender alerts | SecurityEvents.Read.All, SecurityIncident.Read.All |
| M365 Security — CIS Benchmark | Identity controls, Intune policies, Exchange config, SharePoint, Power BI governance | All permissions |
| M365 Security — CISA SCuBA | Entra ID, Defender, Teams, Exchange hardening | Directory.Read.All, Policy.Read.All, SecurityEvents.Read.All |
| M365 Security — EIDSCA | Entra ID authorization, authentication, conditional access configuration | Policy.Read.All, Directory.Read.All |
| Identity Security — Service Principals | SP credentials (expiry), app role assignments, federated identity credentials | Directory.Read.All |
| Identity Security — Application Registrations | Credential expiry, external owners, required resource access | Directory.Read.All |
| Identity Security — Managed Identities | App role assignments held by managed identities, RBAC roles | Directory.Read.All |
| Identity Security — Guest Users | Privileged guests, stale external users, last sign-in | Directory.Read.All, AuditLog.Read.All |
| Identity Security — Directory Roles | Service principals holding privileged Entra ID roles | Directory.Read.All |
Notes
- All permissions are read-only. PAA does not modify your M365 tenant configuration.
- Admin consent must be granted by a Global Administrator or Privileged Role Administrator.
AuditLog.Read.Allis specifically required for guest user last sign-in dates. Without it, stale guest user detection will still run but will not report sign-in recency.- The service principal must be registered in the same tenant you are assessing. Cross-tenant assessment requires a separate App Registration in the target tenant.
Platform Architecture Authority — Crimson Owl Technologies Last updated: March 2026
