Go to glueckkanja Website

Permissions

Overview

This page describes the permissions and access model for the GSA Reporting & Assignment Agent. The agent uses read-only access to Entra Private Access and Entra ID data through the Microsoft Graph API and Security Copilot Plugins. It is designed to collect and analyze connector health metrics, network traffic reports, and user-to-target assignment data without modifying any configurations in your environment.

How It Works

The agent securely connects to your tenant through Microsoft Graph API endpoints to gather configuration and telemetry data related to Global Secure Access (Entra Private Access). It correlates connector performance, IP range utilization, and user access assignments to evaluate network efficiency and identify operational or security gaps.

All interactions follow these principles:

  • Read-only access: The agent never modifies, creates, or deletes configurations.

  • Least privilege: Only the minimal permissions required to read network and directory data are requested.

  • Transparency: All data retrieval occurs through documented Microsoft Graph API endpoints and can be fully audited in Microsoft Entra.

Required Entra ID and Graph Roles

Assign the following roles and API permissions to the administrator account or managed identity running the agent:

Role
Description

Global Secure Access Reader (via NetworkAccess.Read.All)

Enables read-only visibility into Entra Private Access connector groups, policies, and configurations.

Security Reader

Provides read-only access to security and audit insights related to network operations.

Directory Reader

Grants visibility into user, group, and device information for assignment correlation.

Reports Reader

Allows the agent to read usage and traffic activity reports for trend analysis.

These roles comply with the principle of least privilege and can be scoped to specific applications or network access resources if needed.

Data Access Transparency

The table below describes the data types accessed by the agent and their purpose:

Data Type
Access Level
Purpose

Global Secure Access connector and policy data

Read-only

To analyze connector configuration, redundancy, and health metrics.

Network traffic and performance logs

Read-only

To identify anomalies, latency issues, and failed connection attempts.

IP ranges and port coverage

Read-only

To detect stale IP ranges, missing firewall rules, and conflicts.

User and group directory data

Read-only

To correlate user access assignments with network destinations.

Audit and usage reports

Read-only

To trace configuration changes, access trends, and utilization patterns.

Data handling:

  • The agent does not alter or export customer data outside your tenant boundary.

  • All data access is limited to Microsoft Graph and Security Copilot Plugin endpoints.

  • Every access event is logged in Microsoft Entra audit logs for traceability and compliance assurance.

Agent Settings

The agent includes configurable parameters to control scope, lookback period, and reporting depth:

Setting
Options
Description

Scope

connectors, traffic, assignments, ports

Defines which network areas are included in the analysis.

LookbackDays

30, 60, 90

Determines the time window for network traffic and connector activity evaluation.

Mode

quick, standard, deep

Specifies analysis depth and reporting detail.

quick – High-level overview of connector health and assignments.

standard – Comprehensive analysis of connector, traffic, and user-to-target data. (recommended)

deep – Full diagnostic mode with advanced anomaly detection and optimization recommendations.

Ensure that all required permissions are granted before running the agent to avoid incomplete reports.

Security and Compliance Considerations

  • All communication between the agent and Microsoft Graph is encrypted using HTTPS and authenticated via Microsoft identity services.

  • The agent operates within the Zero Trust and least privilege principles.

  • Access can be reviewed, modified, or revoked at any time using Microsoft Entra role-based access control (RBAC) or application consent management.

  • The agent does not make any configuration changes, ensuring full operational safety during assessments.

Next Steps

  1. Confirm that the administrator or managed identity running the agent has the required roles and Graph permissions assigned.

  2. Validate access to Entra Private Access connectors and network access reports through Microsoft Graph.

  3. Review your organization’s role assignment and governance policies before enabling automated reporting.

PreviousOverviewNextChangelog

Last updated

Was this helpful?