Permissions
Overview
This page describes the permissions and access model for this agent. The agent uses read-only access to compliance, audit, and security data from Microsoft Defender, Microsoft Purview, and related Microsoft 365 services through the Security Copilot Plugins. Its purpose is to assess your organization's Data Protection Baseline (DPB) posture, identify potential compliance gaps, and generate insights without modifying any configurations.
How It Works
The agent connects securely to your tenant using Microsoft Graph API endpoints to retrieve compliance, security, and audit log data. It evaluates this information against data protection and compliance frameworks, such as the Microsoft Data Protection Baseline and GDPR, to highlight improvement opportunities and risk areas.
All interactions follow these principles:
Read-only access: The agent does not modify or create configurations, policies, or frameworks.
Least privilege: Only the minimum permissions needed to read compliance and security data are required.
Transparency: All data access occurs through documented Graph API endpoints and is fully auditable within Microsoft Entra.
Required Entra ID Roles
Assign the following roles to the administrator account that installs and runs the agent:
Compliance Data Administrator
Provides read-only access to Microsoft Purview and compliance data.
Security Reader
Grants read-only visibility into Microsoft Defender security events and alerts.
Report Reader
Enables read-only access to audit and reporting data across Microsoft 365 services.
Data Access Transparency
The following table outlines the data accessed by the agent and its purpose.
Compliance and policy configuration data
Read-only
To evaluate alignment with Data Protection Baseline and compliance frameworks.
Security incidents and alerts
Read-only
To correlate compliance posture with security events and risk signals.
Audit logs
Read-only
To assess user and administrative activity related to data protection controls.
Data classification and labeling data
Read-only
To identify coverage gaps in data protection and retention policies.
Data handling:
The agent does not modify, delete, or export customer data outside the tenant boundary.
All access occurs through the Microsoft Graph API using delegated or application permissions.
Access events are logged in Microsoft Entra audit logs for visibility and compliance tracking.
Agent Settings
The agent supports optional parameters to customize analysis depth, frameworks, and time ranges.
Frameworks
Default: Data Protection Baseline (DPB) and GDPR
Defines which compliance or protection frameworks to assess.
AdditionalFrameworkText
"ISO 27001 requires encryption of data at rest and in transit..."
Allows adding custom framework text for extended compliance evaluation.
FrameworkURL
"https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-soc-2"
References an external compliance framework or guidance document for comparison.
TimeRange
30 or 90 (days)
Defines the time window for compliance and audit data analysis.
Security and Compliance Considerations
All communication with Microsoft Graph is encrypted using HTTPS and secured through Microsoft identity services.
The agent complies with Microsoft’s zero trust and least privilege principles.
Access can be reviewed or revoked at any time via Entra ID role assignments or application consent management.
Next Steps
Confirm that the administrator account has the required roles assigned.
Verify that Microsoft Defender and Purview data collection are active for at least 30 days.
Learn more about permissions in the Microsoft Graph permissions reference.
Last updated
Was this helpful?