Overview
High-level overview
This document specifies the exact permissions required for each service principal PAA uses. Granting more than the listed permissions is unnecessary. Granting less will cause partial or complete scan failures.
Overview
PAA uses two service principals, each scoped to a different Microsoft system:
| Service Principal | System | Used For |
|---|---|---|
| Azure SP | Azure Resource Manager | Health Checks, Drift Detection, Cost Intelligence, RBAC Audit |
| Microsoft 365 SP | Microsoft Graph API | Zero Trust Assessment, M365 Security, Identity Security Scanning |
These are separate App Registrations. A single service principal cannot be used for both purposes.
Summary Reference
| Service Principal | Location | Roles / Permissions |
|---|---|---|
| Azure SP | Azure RBAC | Reader (per subscription), Cost Management Reader (per subscription) |
| M365 SP | Microsoft Graph App Permissions | Policy.Read.All, Directory.Read.All, SecurityEvents.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementApps.Read.All, DeviceManagementManagedDevices.Read.All, SecurityIncident.Read.All, SharePointTenantSettings.Read.All, AuditLog.Read.All |
| GitHub App | GitHub Repository Permissions | Contents: Read and write, Metadata: Read |
Troubleshooting
Health Check returns no results or fails immediately
Verify the Azure service principal has Reader on the target subscription. Check that the Tenant ID, Client ID, and Client Secret in Settings > Azure are correct. Use Test Connection to confirm authentication succeeds before running a scan.
Cost Intelligence shows no data
Confirm Cost Management Reader is assigned on the subscription. Some subscription types (Free, Dev/Test) do not support the Cost Management API — this is an Azure limitation and cannot be resolved by adding permissions.
M365 Security or Zero Trust scan shows partial results
Open Settings > Microsoft 365 > Validate & Test Connection. The validation response lists which of the nine required permissions are missing. Grant the missing permissions and re-run admin consent.
Guest user stale sign-in detection shows no data
AuditLog.Read.All is missing or admin consent was not granted for it. This permission requires Global Administrator or Privileged Role Administrator to consent.
GitHub sync fails with 403
The GitHub App installation does not have write access to the target repository. Confirm Contents: Read and write is granted in the App’s repository permissions for that specific installation.
Platform Architecture Authority — Crimson Owl Technologies Last updated: March 2026
