Microsoft Permissions
Maintained by: Aether365 Team Audience: Microsoft 365 Global Administrators and security teams Scope: Full list of Microsoft Graph permissions requested by Aether365
When you connect a Microsoft 365 tenant to Aether365, your Global Administrator approves a set of read-only permissions on the Microsoft consent screen. This page lists every permission, its type, and why it is needed.
The permissions on this page are the read-only permissions used for scanning, and they are the default for every connected tenant. Aether365 also offers an optional, opt-in capability called AI Pilot, which adds a separate set of write permissions through a second consent so it can apply fixes you approve. AI Pilot write permissions are only granted if you explicitly enable AI Pilot for a tenant; otherwise the connection stays read-only.
Key Points
- The scan permissions are application-level (not delegated to a user)
- The scan permissions are read-only - scanning cannot create, modify, or delete any data in your tenant
- Write access is never granted by scanning. It is added only if you opt in to AI Pilot, through a separate consent, and is used solely to apply fixes you approve per item
- Permissions are granted once via Global Admin consent and persist until you disconnect the tenant or delete the Aether365 service principal from your tenant
- You can review and revoke permissions at any time from Microsoft Entra admin center > Enterprise Applications > Aether365
Permission Reference
The Used by column indicates which scan type requires the permission: C = Compliance scan, E = Exposure scan, C+E = both.
| Permission | Type | Used by | Why it is needed |
|---|---|---|---|
AccessReview.Read.All | Application | E | Read access review definitions and results for governance checks |
AppCatalog.Read.All | Application | E | Read enterprise app catalog entries and approval policies |
Application.Read.All | Application | E | Read application registrations and credential configurations |
AuditLog.Read.All | Application | E | Read audit and sign-in logs required for EIDSCA and CISA benchmark checks |
ConsentRequest.Read.All | Application | E | Read user consent requests and admin consent workflow state |
CrossTenantInformation.ReadBasic.All | Application | E | Read cross-tenant access settings for B2B collaboration checks |
DeviceManagementApps.Read.All | Application | E | Read Intune app protection and app configuration policies |
DeviceManagementConfiguration.Read.All | Application | E | Read Intune device configuration policies |
DeviceManagementManagedDevices.Read.All | Application | E | Read managed device inventory and compliance state |
DeviceManagementRBAC.Read.All | Application | E | Read Intune RBAC role assignments |
Directory.Read.All | Application | C+E | Read users, groups, service principals, and directory objects to assess identity configuration |
DirectoryRecommendations.Read.All | Application | E | Read Entra ID recommendations for security posture improvements |
EntitlementManagement.Read.All | Application | E | Read access packages and entitlement management policies |
ExternalConnection.Read.All | Application | E | Read external connections and connectors for data exposure checks |
GroupMember.Read.All | Application | E | Read group membership to assess role and permission inheritance |
IdentityProvider.Read.All | Application | E | Read configured identity providers and federation settings |
IdentityRiskEvent.Read.All | Application | E | Read risk event detections from Identity Protection |
IdentityRiskyUser.Read.All | Application | E | Read risky user detections from Microsoft Entra ID Protection |
MailboxSettings.Read | Application | C | Read Exchange Online mailbox settings for CIS email security controls |
Organization.Read.All | Application | C+E | Read tenant-level configuration, license assignments, and organisation profile |
Policy.Read.All | Application | C+E | Read conditional access policies, authentication strength policies, and other security policies |
Policy.Read.ConditionalAccess | Application | E | Read conditional access policy details for misconfiguration checks |
PrivilegedAccess.Read.AzureAD | Application | E | Read PIM role eligibility and activation settings |
PrivilegedEligibilitySchedule.Read.AzureADGroup | Application | E | Read PIM group eligibility schedules |
Reports.Read.All | Application | C+E | Read usage reports and sign-in activity required by CIS and CISA benchmark checks |
RoleEligibilitySchedule.Read.Directory | Application | E | Read PIM role eligibility schedules for just-in-time access checks |
RoleManagement.Read.All | Application | C+E | Read Entra ID role assignments to detect over-privileged accounts |
RoleManagementPolicy.Read.AzureADGroup | Application | E | Read PIM policies applied to group role assignments |
SecurityEvents.Read.All | Application | C+E | Read security alerts and events for threat exposure assessment |
SharePointTenantSettings.Read.All | Application | E | Read SharePoint tenant-wide sharing and security settings |
Sites.Read.All | Application | E | Read SharePoint site configurations and sharing settings |
Team.ReadBasic.All | Application | E | Read Teams team settings to assess external access and federation controls |
TeamsAppInstallation.ReadForUser.All | Application | E | Read installed Teams apps to detect unapproved third-party applications |
User.Read.All | Application | C+E | Read user profiles, sign-in settings, and license assignments |
UserAuthenticationMethod.Read.All | Application | C+E | Read registered MFA methods to verify per-user authentication strength |
Reviewing Granted Permissions
To verify which permissions Aether365 has in your tenant:
- Sign in to the Microsoft Entra admin center
- Navigate to Enterprise Applications
- Search for "Aether365"
- Select the application and open Permissions
The permissions page shows all consented permissions along with who granted consent and when.
Revoking Permissions
To revoke all Aether365 permissions from a tenant:
- In Microsoft Entra admin center > Enterprise Applications, select Aether365
- Click Delete to remove the service principal entirely
This revokes all permissions and stops Aether365 from accessing the tenant. Future scan attempts for this tenant will fail. To stop scans, also disconnect the tenant in the Aether365 dashboard (Settings > Connections).
Questions
If you have questions about a specific permission or need to discuss permission scope for an Enterprise deployment, contact security@aether365.io.