Go to glueckkanja Website

Permissions

Overview

This page describes the permissions, configuration requirements, and access model for this agent. The agent uses read-only access to Microsoft Purview and Microsoft Security Copilot data. Its purpose is to analyze data classification patterns, DLP policy activity, and security insights without modifying any configurations.

How It Works

The agent connects securely to your tenant using Microsoft Graph API endpoints to read Microsoft Purview classification and DLP data. It analyzes these signals to identify patterns, assess coverage, and provide recommendations for improving data protection posture.

All interactions follow these principles:

  • Read-only access: The agent does not modify or create configurations, policies, or classifiers.

  • Least privilege: Only the minimum permissions needed to read Purview and security data are required.

  • Transparency: All data access is through documented Graph API endpoints and is auditable in Microsoft Entra.

Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

Role
Description

Compliance Data Administrator

Provides read-only access to Microsoft Purview classification and DLP data.

Security Reader

Grants read-only visibility into security events and alerts.

Global Reader (optional)

Allows read-only access across Microsoft 365 services for cross-domain data correlation.

These roles follow the principle of least privilege. Adjust based on your organization’s security and compliance requirements.

Data Access Transparency

The following table outlines what data the agent can access and for what purpose.

Data Type
Access Level
Purpose

Purview classification and labeling data

Read-only

To evaluate data sensitivity distribution and policy effectiveness.

DLP policy match events

Read-only

To analyze data loss trends and identify areas for improved coverage.

Security insights and alerts

Read-only

To correlate data protection events with broader security signals.

Tenant configuration metadata

Read-only

To contextualize results without making configuration changes.

Data handling:

  • The agent does not modify or export customer data outside the tenant boundary.

  • All access is limited to the Microsoft Graph API using delegated or application permissions.

  • All activity is recorded in Microsoft Entra audit logs for transparency and compliance verification.

Agent Settings

When running the agent, the following parameters can be configured to control analysis depth and time range.

Setting
Options
Description

TimeRange

30, last_30_days, 2025-01-01/2025-01-31

Defines the time window for classification and DLP event analysis.

Mode

quick, standard, deep

Determines analysis depth and resource usage. • quick — Fast analysis with limited recommendations. • standard — Balanced depth and performance (recommended). • deep — Comprehensive analysis with detailed statistics and extended insights (uses more SCUs).

The agent requires at least 30 days of classification and detection data for meaningful results.

Security and Compliance Considerations

  • All communication with Microsoft Graph is encrypted using HTTPS and protected by Microsoft identity services.

  • The agent aligns with Microsoft’s zero trust and least privilege principles.

  • Access can be reviewed or revoked at any time through Entra ID role assignments or application consent management.

Next Steps

  • Verify that the administrator account has all required roles assigned.

  • Confirm that Purview classification and DLP policies are active with at least 30 days of data.

PreviousOverviewNextChangelog

Last updated

Was this helpful?