> For the complete documentation index, see [llms.txt](https://agents.glueckkanja.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://agents.glueckkanja.com/agents/cloud-app-activity-profiler/permissions.md).

# Permissions

### Overview

This page describes the permissions and access model for the **Cloud App Activity Profiler**.\
The agent uses **read-only access** to Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and Microsoft Entra ID data through documented **Microsoft Graph API** and **Security Copilot Plugins**.\
It is designed to analyze SaaS domain activity, alert correlations, and threat intelligence indicators **without modifying** any configurations or policies in your environment.

***

### How It Works

The agent connects securely to your Microsoft 365 tenant and Defender for Cloud Apps telemetry to collect and correlate SaaS activity data.\
It discovers new or high-volume domains, enriches findings with alert and threat intelligence context, and generates a risk assessment with governance recommendations such as **ALLOW**, **MONITOR**, or **BLOCK**.

All operations are based on the following principles:

* **Read-only access:** The agent does not alter or remove any data.
* **Least privilege:** Only the minimal permissions required for domain activity analysis are requested.
* **Transparency:** All data retrieval occurs through documented Graph API endpoints or Security Copilot Plugins, fully auditable in Microsoft Entra logs.

***

### Required Entra ID and Defender Roles

Assign the following roles and permissions to the administrator account or managed identity that operates the agent:

| Role                                              | Description                                                                                         |
| ------------------------------------------------- | --------------------------------------------------------------------------------------------------- |
| **Security Reader**                               | Provides read-only access to security insights and alerts across Microsoft Defender for Cloud Apps. |
| **Cloud App Security Administrator** *(optional)* | Grants additional visibility into Cloud App configurations and discovery data, if required.         |
| **Directory Reader**                              | Enables access to user and group data for activity normalization and correlation.                   |

These roles follow the **least privilege principle** and can be scoped to specific resources if tenant-wide access is not required.

***

### Data Access Transparency

The following table outlines which data sources the agent accesses and for what purpose:

| Data Type                                               | Access Level | Purpose                                                                                     |
| ------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------- |
| Cloud App activity logs (CloudAppEvents)                | Read-only    | To identify new and high-volume domains and detect potential exfiltration or upload bursts. |
| Alert data (AlertInfo and AlertEvidence)                | Read-only    | To correlate high-severity alerts and behavioral tactics associated with each domain.       |
| Threat intelligence indicators (ThreatIntelligence.DTI) | Read-only    | To enrich domains with reputation data and known threat associations.                       |
| Directory and user data (optional)                      | Read-only    | To normalize user activity and calculate user-based risk metrics.                           |

**Data handling:**

* The agent does not modify or delete any Defender, Entra, or Graph data.
* All processing occurs within your tenant boundary, ensuring no data export.
* All data access is logged in Microsoft Entra audit logs for full visibility and compliance.
* The agent operates only under delegated or approved application permissions granted by your administrator.

***

### Agent Settings

The agent supports configuration parameters to control discovery depth, analysis scope, and output format:

| Setting             | Options                                                                                                           | Description                                              |
| ------------------- | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- |
| **Scope**           | `domains`, `alerts`, `threatIntel`                                                                                | Defines which data sources are included in the analysis. |
| **Mode**            | `quick`, `standard`, `deep`                                                                                       | Specifies the depth of analysis and enrichment level.    |
|                     | • **quick** – Identifies newly observed domains and basic activity metrics.                                       |                                                          |
|                     | • **standard** – Correlates alerts and threat intelligence data for contextual scoring. *(recommended)*           |                                                          |
|                     | • **deep** – Full enrichment and scoring with detailed playbook generation and domain governance recommendations. |                                                          |
| **Lookback Window** | 7, 14, 30 days                                                                                                    | Sets how far back activity data is evaluated.            |

Ensure all required roles are assigned to the identity running the agent before initiating an analysis.

***

### Security and Compliance Considerations

* All communication with Microsoft Graph and Defender APIs is encrypted using **HTTPS** and protected by **Microsoft identity services**.
* The agent complies with **Zero Trust** and **least privilege** design principles.
* Permissions can be reviewed or revoked at any time through **Microsoft Entra** role management or consent configuration.
* The agent performs no write or configuration operations, ensuring operational safety and compliance integrity.

***

### Next Steps

1. Verify that the service account or managed identity has been granted the required roles and API permissions.
2. Review your organization’s governance and role assignment policies before deployment.
3. Configure the desired analysis mode (`quick`, `standard`, or `deep`) based on the size and sensitivity of your environment.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://agents.glueckkanja.com/agents/cloud-app-activity-profiler/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.