Permission name

Description

We use this to:

Directory.Read.All

Allows the app to read data in your organization's directory, such as users, groups and apps.

Discover all available users and user groups.

Mail.Read

Allows the app to read mail in all mailboxes without a signed-in user.

Analyze mailboxes to discover SaaS activity.

UserAuthenticationMethod.Read.All

Allows the app to read authentication methods of all users in your organization, without a signed-in user. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

Discover user authentication methods to determine whether or not MFA is enabled.

Reports.Read.All

Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory.

Query usage reports to enhance the user and application data.

AuditLog.Read.All

Allows the app to read and query your audit log activities, without a signed-in user.

Query users' SaaS activity.

MailboxSettings.Read

Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail.

Query information about users' mailboxes settings.

Domain.Read.All

Allows the app to read all domain properties without a signed-in user.

Discover all valid domains registered to your organization.

IdentityRiskEvent.Read.All

Allows the app to read identity risk event information for all users in your organization without a signed-in user.

Discover suspicious and risky activity.

IdentityRiskyUser.Read.All

Allows the app to read identity user risk information for all users in your organization without a signed-in user.

Discover suspicious and risky activity.

IdentityRiskyServicePrincipal.Read.All

Allows the app to read all risky service principal information for your organization, without a signed-in user.

Discover suspicious and risky activity.