# Permissions ### Overview This page describes the permissions and access model for this agent.\ The agent uses **read-only access** to compliance, audit, and security data from Microsoft Defender, Microsoft Purview, and related Microsoft 365 services through the **Security Copilot Plugins**.\ Its purpose is to assess your organization's **Data Protection Baseline (DPB)** posture, identify potential compliance gaps, and generate insights without modifying any configurations. *** ### How It Works The agent connects securely to your tenant using Microsoft Graph API endpoints to retrieve compliance, security, and audit log data.\ It evaluates this information against data protection and compliance frameworks, such as the Microsoft Data Protection Baseline and GDPR, to highlight improvement opportunities and risk areas. All interactions follow these principles: * **Read-only access:** The agent does not modify or create configurations, policies, or frameworks. * **Least privilege:** Only the minimum permissions needed to read compliance and security data are required. * **Transparency:** All data access occurs through documented Graph API endpoints and is fully auditable within Microsoft Entra. *** ### Required Entra ID Roles Assign the following roles to the administrator account that installs and runs the agent: | Role | Description | | --------------------------------- | ----------------------------------------------------------------------------------- | | **Compliance Data Administrator** | Provides read-only access to Microsoft Purview and compliance data. | | **Security Reader** | Grants read-only visibility into Microsoft Defender security events and alerts. | | **Report Reader** | Enables read-only access to audit and reporting data across Microsoft 365 services. | {% hint style="info" %} These roles are aligned with the principle of least privilege. Adjust based on your organization’s compliance and governance requirements. {% endhint %} *** ### Data Access Transparency The following table outlines the data accessed by the agent and its purpose. | Data Type | Access Level | Purpose | | -------------------------------------------- | ------------ | ------------------------------------------------------------------------------- | | **Compliance and policy configuration data** | Read-only | To evaluate alignment with Data Protection Baseline and compliance frameworks. | | **Security incidents and alerts** | Read-only | To correlate compliance posture with security events and risk signals. | | **Audit logs** | Read-only | To assess user and administrative activity related to data protection controls. | | **Data classification and labeling data** | Read-only | To identify coverage gaps in data protection and retention policies. | **Data handling:** * The agent does **not** modify, delete, or export customer data outside the tenant boundary. * All access occurs through the **Microsoft Graph API** using delegated or application permissions. * Access events are logged in **Microsoft Entra audit logs** for visibility and compliance tracking. *** ### Agent Settings The agent supports optional parameters to customize analysis depth, frameworks, and time ranges. | Setting | Options / Example | Description | | --------------------------- | ------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | | **Frameworks** | Default: Data Protection Baseline (DPB) and GDPR | Defines which compliance or protection frameworks to assess. | | **AdditionalFrameworkText** | `"ISO 27001 requires encryption of data at rest and in transit..."` | Allows adding custom framework text for extended compliance evaluation. | | **FrameworkURL** | `"https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-soc-2"` | References an external compliance framework or guidance document for comparison. | | **TimeRange** | `30` or `90` (days) | Defines the time window for compliance and audit data analysis. | {% hint style="info" %} For accurate results, ensure at least **30 days of compliance and security data** are available before running the agent. {% endhint %} *** ### Security and Compliance Considerations * All communication with Microsoft Graph is encrypted using HTTPS and secured through Microsoft identity services. * The agent complies with Microsoft’s **zero trust** and **least privilege** principles. * Access can be reviewed or revoked at any time via **Entra ID role assignments** or **application consent management**. *** ### Next Steps * Confirm that the administrator account has the required roles assigned. * Verify that Microsoft Defender and Purview data collection are active for at least 30 days. * Learn more about permissions in the [Microsoft Graph permissions reference](https://learn.microsoft.com/graph/permissions-reference). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://agents.glueckkanja.com/agents/compliance-assistant/permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.