Go to glueckkanja Website

Permissions

Overview

This page describes the permissions and access model for the Cloud App Activity Profiler. The agent uses read-only access to Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and Microsoft Entra ID data through documented Microsoft Graph API and Security Copilot Plugins. It is designed to analyze SaaS domain activity, alert correlations, and threat intelligence indicators without modifying any configurations or policies in your environment.

How It Works

The agent connects securely to your Microsoft 365 tenant and Defender for Cloud Apps telemetry to collect and correlate SaaS activity data. It discovers new or high-volume domains, enriches findings with alert and threat intelligence context, and generates a risk assessment with governance recommendations such as ALLOW, MONITOR, or BLOCK.

All operations are based on the following principles:

  • Read-only access: The agent does not alter or remove any data.

  • Least privilege: Only the minimal permissions required for domain activity analysis are requested.

  • Transparency: All data retrieval occurs through documented Graph API endpoints or Security Copilot Plugins, fully auditable in Microsoft Entra logs.

Required Entra ID and Defender Roles

Assign the following roles and permissions to the administrator account or managed identity that operates the agent:

Role
Description

Security Reader

Provides read-only access to security insights and alerts across Microsoft Defender for Cloud Apps.

Cloud App Security Administrator (optional)

Grants additional visibility into Cloud App configurations and discovery data, if required.

Directory Reader

Enables access to user and group data for activity normalization and correlation.

These roles follow the least privilege principle and can be scoped to specific resources if tenant-wide access is not required.

Data Access Transparency

The following table outlines which data sources the agent accesses and for what purpose:

Data Type
Access Level
Purpose

Cloud App activity logs (CloudAppEvents)

Read-only

To identify new and high-volume domains and detect potential exfiltration or upload bursts.

Alert data (AlertInfo and AlertEvidence)

Read-only

To correlate high-severity alerts and behavioral tactics associated with each domain.

Threat intelligence indicators (ThreatIntelligence.DTI)

Read-only

To enrich domains with reputation data and known threat associations.

Directory and user data (optional)

Read-only

To normalize user activity and calculate user-based risk metrics.

Data handling:

  • The agent does not modify or delete any Defender, Entra, or Graph data.

  • All processing occurs within your tenant boundary, ensuring no data export.

  • All data access is logged in Microsoft Entra audit logs for full visibility and compliance.

  • The agent operates only under delegated or approved application permissions granted by your administrator.

Agent Settings

The agent supports configuration parameters to control discovery depth, analysis scope, and output format:

Setting
Options
Description

Scope

domains, alerts, threatIntel

Defines which data sources are included in the analysis.

Mode

quick, standard, deep

Specifies the depth of analysis and enrichment level.

quick – Identifies newly observed domains and basic activity metrics.

standard – Correlates alerts and threat intelligence data for contextual scoring. (recommended)

deep – Full enrichment and scoring with detailed playbook generation and domain governance recommendations.

Lookback Window

7, 14, 30 days

Sets how far back activity data is evaluated.

Ensure all required roles are assigned to the identity running the agent before initiating an analysis.

Security and Compliance Considerations

  • All communication with Microsoft Graph and Defender APIs is encrypted using HTTPS and protected by Microsoft identity services.

  • The agent complies with Zero Trust and least privilege design principles.

  • Permissions can be reviewed or revoked at any time through Microsoft Entra role management or consent configuration.

  • The agent performs no write or configuration operations, ensuring operational safety and compliance integrity.

Next Steps

  1. Verify that the service account or managed identity has been granted the required roles and API permissions.

  2. Review your organization’s governance and role assignment policies before deployment.

  3. Configure the desired analysis mode (quick, standard, or deep) based on the size and sensitivity of your environment.

PreviousOverviewNextChangelog

Last updated

Was this helpful?