# Permissions
### Overview
This page describes the permissions, configuration requirements, and access model for this agent.\
The agent uses **read-only access** to Microsoft Purview and Microsoft Security Copilot data.\
Its purpose is to analyze data classification patterns, DLP policy activity, and security insights without modifying any configurations.
***
### How It Works
The agent connects securely to your tenant using Microsoft Graph API endpoints to read Microsoft Purview classification and DLP data.\
It analyzes these signals to identify patterns, assess coverage, and provide recommendations for improving data protection posture.
All interactions follow these principles:
* **Read-only access:** The agent does not modify or create configurations, policies, or classifiers.
* **Least privilege:** Only the minimum permissions needed to read Purview and security data are required.
* **Transparency:** All data access is through documented Graph API endpoints and is auditable in Microsoft Entra.
***
### Required Entra ID Roles
Assign the following roles to the administrator account that installs and runs the agent:
| Role | Description |
| --------------------------------- | ---------------------------------------------------------------------------------------- |
| **Compliance Data Administrator** | Provides read-only access to Microsoft Purview classification and DLP data. |
| **Security Reader** | Grants read-only visibility into security events and alerts. |
| **Global Reader** *(optional)* | Allows read-only access across Microsoft 365 services for cross-domain data correlation. |
{% hint style="info" %}
These roles follow the principle of least privilege. Adjust based on your organization’s security and compliance requirements.
{% endhint %}
***
### Data Access Transparency
The following table outlines what data the agent can access and for what purpose.
| Data Type | Access Level | Purpose |
| -------------------------------------------- | ------------ | --------------------------------------------------------------------- |
| **Purview classification and labeling data** | Read-only | To evaluate data sensitivity distribution and policy effectiveness. |
| **DLP policy match events** | Read-only | To analyze data loss trends and identify areas for improved coverage. |
| **Security insights and alerts** | Read-only | To correlate data protection events with broader security signals. |
| **Tenant configuration metadata** | Read-only | To contextualize results without making configuration changes. |
**Data handling:**
* The agent does **not** modify or export customer data outside the tenant boundary.
* All access is limited to the **Microsoft Graph API** using delegated or application permissions.
* All activity is recorded in **Microsoft Entra audit logs** for transparency and compliance verification.
***
### Agent Settings
When running the agent, the following parameters can be configured to control analysis depth and time range.
| Setting | Options | Description |
| ------------- | --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **TimeRange** | `30`, `last_30_days`, `2025-01-01/2025-01-31` | Defines the time window for classification and DLP event analysis. |
| **Mode** | `quick`, `standard`, `deep` | Determines analysis depth and resource usage.
• quick — Fast analysis with limited recommendations.
• standard — Balanced depth and performance (recommended).
• deep — Comprehensive analysis with detailed statistics and extended insights (uses more SCUs).
|
{% hint style="info" %}
The agent requires **at least 30 days of classification and detection data** for meaningful results.
{% endhint %}
***
### Security and Compliance Considerations
* All communication with Microsoft Graph is encrypted using HTTPS and protected by Microsoft identity services.
* The agent aligns with Microsoft’s **zero trust** and **least privilege** principles.
* Access can be reviewed or revoked at any time through **Entra ID role assignments** or **application consent management**.
***
### Next Steps
* Verify that the administrator account has all required roles assigned.
* Confirm that Purview classification and DLP policies are active with at least 30 days of data.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://agents.glueckkanja.com/agents/classification-optimizer/permissions.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.