Go to glueckkanja Website

Permissions

Overview

This page describes the permissions and access model for this agent. The agent uses read-only access to Microsoft Intune and Microsoft Entra ID data through the Microsoft Graph API and Security Copilot Plugins. It is designed to analyze configuration settings, device assignments, and policy compliance without making any changes to your environment.

How It Works

The agent connects securely to your tenant using Microsoft Graph API endpoints to retrieve Intune and Entra ID data. It processes this information to assess configuration health, assignment coverage, and compliance alignment.

All interactions follow these principles:

  • Read-only access: The agent cannot modify, create, or delete configurations.

  • Least privilege: Only the minimum permissions required to read Intune and Entra ID data are used.

  • Transparency: All data access occurs through documented Graph API endpoints and can be audited in Microsoft Entra.

Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

Role
Description

Intune Reader

Provides read-only access to Intune configuration, compliance, and device data.

Directory Reader

Grants read-only access to Entra ID users, groups, and directory information.

Security Reader

Enables visibility into security insights and reports without modification rights.

These roles follow the principle of least privilege. Adjust based on your organization’s security and governance policies.

Data Access Transparency

The following table outlines what data the agent can access and for what purpose.

Data Type
Access Level
Purpose

Intune configuration profiles and policies

Read-only

To analyze deployment configurations, compliance settings, and policy status.

Device and user assignments

Read-only

To generate insights on targeting, compliance, and configuration coverage.

Entra ID directory data

Read-only

To correlate users, groups, and device relationships for reporting.

Security insights and alerts

Read-only

To improve visibility into potential misconfigurations or compliance risks.

Data handling:

  • The agent does not modify or export customer data outside the tenant boundary.

  • All data access is limited to the Microsoft Graph API using delegated or application permissions.

  • All access activity is logged in Microsoft Entra audit logs for traceability and compliance.

Agent Settings

The agent supports configurable parameters to adjust the scope and depth of analysis.

Setting
Options
Description

Scope

devices, policies, assignments

Determines which Intune areas are included in the analysis.

Mode

quick, standard, deep

Defines analysis depth and performance trade-offs. • quick — Basic overview of configurations. • standard — Balanced analysis with most metrics (recommended). • deep — Detailed inspection with extended reporting and cross-checks.

Ensure that all required roles are assigned to the administrator account before running the agent.

Security and Compliance Considerations

  • All communication with Microsoft Graph is encrypted using HTTPS and secured by Microsoft identity services.

  • The agent adheres to Microsoft’s zero trust and least privilege principles.

  • Access can be reviewed or revoked at any time through Entra ID role assignments or application consent management.

Next Steps

  • Verify that the administrator account has all required roles assigned.

  • Review your organization’s least-privilege and role assignment policies.

PreviousOverviewNextChangelog

Last updated

Was this helpful?