# Permissions

### Overview

This page describes the permissions and access model for this agent.\
The agent uses **read-only access** to Microsoft Intune and Microsoft Entra ID data through the **Microsoft Graph API and Security Copilot Plugins.**\
It is designed to analyze configuration settings, device assignments, and policy compliance without making any changes to your environment.

***

### How It Works

The agent connects securely to your tenant using Microsoft Graph API endpoints to retrieve Intune and Entra ID data.\
It processes this information to assess configuration health, assignment coverage, and compliance alignment.

All interactions follow these principles:

* **Read-only access:** The agent cannot modify, create, or delete configurations.
* **Least privilege:** Only the minimum permissions required to read Intune and Entra ID data are used.
* **Transparency:** All data access occurs through documented Graph API endpoints and can be audited in Microsoft Entra.

***

### Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

| Role                 | Description                                                                        |
| -------------------- | ---------------------------------------------------------------------------------- |
| **Intune Reader**    | Provides read-only access to Intune configuration, compliance, and device data.    |
| **Directory Reader** | Grants read-only access to Entra ID users, groups, and directory information.      |
| **Security Reader**  | Enables visibility into security insights and reports without modification rights. |

{% hint style="info" %}
These roles follow the principle of least privilege. Adjust based on your organization’s security and governance policies.
{% endhint %}

***

### Data Access Transparency

The following table outlines what data the agent can access and for what purpose.

| Data Type                                      | Access Level | Purpose                                                                       |
| ---------------------------------------------- | ------------ | ----------------------------------------------------------------------------- |
| **Intune configuration profiles and policies** | Read-only    | To analyze deployment configurations, compliance settings, and policy status. |
| **Device and user assignments**                | Read-only    | To generate insights on targeting, compliance, and configuration coverage.    |
| **Entra ID directory data**                    | Read-only    | To correlate users, groups, and device relationships for reporting.           |
| **Security insights and alerts**               | Read-only    | To improve visibility into potential misconfigurations or compliance risks.   |

**Data handling:**

* The agent does **not** modify or export customer data outside the tenant boundary.
* All data access is limited to the **Microsoft Graph API** using delegated or application permissions.
* All access activity is logged in **Microsoft Entra audit logs** for traceability and compliance.

***

### Agent Settings

The agent supports configurable parameters to adjust the scope and depth of analysis.

| Setting   | Options                              | Description                                                                                                                                                                                                                                                                                  |
| --------- | ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Scope** | `devices`, `policies`, `assignments` | Determines which Intune areas are included in the analysis.                                                                                                                                                                                                                                  |
| **Mode**  | `quick`, `standard`, `deep`          | <p>Defines analysis depth and performance trade-offs.<br>• <code>quick</code> — Basic overview of configurations.<br>• <code>standard</code> — Balanced analysis with most metrics (recommended).<br>• <code>deep</code> — Detailed inspection with extended reporting and cross-checks.</p> |

{% hint style="info" %}
Ensure that all required roles are assigned to the administrator account before running the agent.
{% endhint %}

***

### Security and Compliance Considerations

* All communication with Microsoft Graph is encrypted using HTTPS and secured by Microsoft identity services.
* The agent adheres to Microsoft’s **zero trust** and **least privilege** principles.
* Access can be reviewed or revoked at any time through **Entra ID role assignments** or **application consent management**.

***

### Next Steps

* Verify that the administrator account has all required roles assigned.
* Review your organization’s least-privilege and role assignment policies.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://agents.glueckkanja.com/agents/assignment-insights/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.