Nudge Security analyzes data from your Microsoft Entra ID domain to discover and inventory your entire SaaS footprint, including users and OAuth grants. This requires read-only access to your organization's Microsoft Entra ID domain.
Here's a list of the current Microsoft permissions Nudge Security uses and how.
Permission name | Description | We use this to: |
Allows the app to read data in your organization's directory, such as users, groups and apps. | Discover all available users and user groups. | |
Allows the app to read mail in all mailboxes without a signed-in user. | Analyze mailboxes to discover SaaS activity. | |
Allows the app to read authentication methods of all users in your organization, without a signed-in user. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | Discover user authentication methods to determine whether or not MFA is enabled. | |
Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft Entra ID and Azure Active Directory. | Query usage reports to enhance the user and application data. | |
Allows the app to read and query your audit log activities, without a signed-in user. | Query users' SaaS activity. | |
Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail. | Query information about users' mailboxes settings. | |
Allows the app to read all domain properties without a signed-in user. | Discover all valid domains registered to your organization. | |
Allows the app to read identity risk event information for all users in your organization without a signed-in user. | Discover suspicious and risky activity. | |
Allows the app to read identity user risk information for all users in your organization without a signed-in user. | Discover suspicious and risky activity. | |
Allows the app to read all risky service principal information for your organization, without a signed-in user. | Discover suspicious and risky activity. | |
Allows the app to grant or revoke any delegated permission for any API (including Microsoft Graph), without a signed-in user. | This scope will allow Nudge to revoke user's Oauth grants. | |
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user. | This scope will allow Nudge to revoke user's access to an app. | |
Allows the application to read the tenant-level settings of SharePoint and OneDrive, without a signed-in user. | This scope will allow Nudge to discover information from the tenant settings. |