Skip to main content
All CollectionsGetting started with Nudge Security
OAuth Scopes List for Microsoft Entra ID
OAuth Scopes List for Microsoft Entra ID

A list of the Microsoft Entra ID access permissions Nudge Security uses for data analysis

Danielle avatar
Written by Danielle
Updated over 2 months ago

Nudge Security analyzes data from your Microsoft Entra ID domain to discover and inventory your entire SaaS footprint, including users and OAuth grants. This requires read-only access to your organization's Microsoft Entra ID domain.

Here's a list of the current Microsoft permissions Nudge Security uses and how.

Permission name

Description

We use this to:

Allows the app to read data in your organization's directory, such as users, groups and apps.

Discover all available users and user groups.

Allows the app to read mail in all mailboxes without a signed-in user.

Analyze mailboxes to discover SaaS activity.

Allows the app to read authentication methods of all users in your organization, without a signed-in user. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

Discover user authentication methods to determine whether or not MFA is enabled.

Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft Entra ID and Azure Active Directory.

Query usage reports to enhance the user and application data.

Allows the app to read and query your audit log activities, without a signed-in user.

Query users' SaaS activity.

Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail.

Query information about users' mailboxes settings.

Allows the app to read all domain properties without a signed-in user.

Discover all valid domains registered to your organization.

Allows the app to read identity risk event information for all users in your organization without a signed-in user.

Discover suspicious and risky activity.

Allows the app to read identity user risk information for all users in your organization without a signed-in user.

Discover suspicious and risky activity.

Allows the app to read all risky service principal information for your organization, without a signed-in user.

Discover suspicious and risky activity.

Allows the app to grant or revoke any delegated permission for any API (including Microsoft Graph), without a signed-in user.

This scope will allow Nudge to revoke user's Oauth grants.

Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.

This scope will allow Nudge to revoke user's access to an app.

Allows the application to read the tenant-level settings of SharePoint and OneDrive, without a signed-in user.

This scope will allow Nudge to discover information from the tenant settings.

Did this answer your question?