# Permissions

### Overview

This page describes the permissions and access model for the **Insider Risk Profiler**.\
The agent uses **read-only access** to Microsoft Purview Insider Risk Management, Microsoft Defender, and Microsoft Entra ID data through documented **Microsoft Graph API** and **Security Copilot Plugins**.\
It is designed to analyze insider risk alerts, user risk levels, device compliance, and DLP events **without making any modifications** to your environment.

***

### How It Works

The agent connects securely to Microsoft Purview and Defender to collect **Insider Risk Management (IRM) alerts**, identity risk signals, and behavioral telemetry across multiple activity sources such as email, cloud applications, and file operations.\
It enriches alerts with contextual data from Defender and Entra ID, computes a composite risk score, and generates a prioritized queue with recommendations for investigation and remediation.

All operations follow these core principles:

* **Read-only access:** The agent does not modify or delete any data.
* **Least privilege:** Only the minimum permissions required for correlation and enrichment are requested.
* **Transparency:** All access occurs through documented Microsoft Graph endpoints and can be fully audited through Microsoft Entra activity logs.

***

### Required Entra ID and Purview Roles

Assign the following roles and permissions to the administrator account or managed identity that runs the agent:

| Role                                | Description                                                                                             |
| ----------------------------------- | ------------------------------------------------------------------------------------------------------- |
| **Insider Risk Management Analyst** | Provides direct read-only access to Insider Risk Management (IRM) alerts within Microsoft Purview.      |
| **Security Reader**                 | Grants visibility into security alerts, incidents, and behavioral signals across Defender and Sentinel. |
| **Directory Reader**                | Enables read-only access to Entra ID user and group metadata for alert correlation and reporting.       |
| **Intune Reader** *(optional)*      | Provides device compliance context when analyzing alerts linked to managed endpoints.                   |

These roles adhere to the **principle of least privilege** and can be scoped to specific datasets or groups as needed.

***

### Data Access Transparency

The table below outlines the data sources accessed by the agent and their purposes:

| Data Type                       | Access Level           | Purpose                                                                             |
| ------------------------------- | ---------------------- | ----------------------------------------------------------------------------------- |
| Insider Risk Management alerts  | Read-only              | To retrieve alert metadata and generate prioritized risk queues.                    |
| Security alerts and incidents   | Read-only              | To cross-reference Defender data for contextual enrichment.                         |
| Risky users and identity events | Read-only              | To assess user-level identity risk indicators and compromise likelihood.            |
| Advanced Hunting telemetry      | Read-only              | To analyze file, email, cloud, and authentication events for behavioral scoring.    |
| DLP policy violations           | Read-only              | To detect sensitive data handling anomalies and exfiltration patterns.              |
| Device posture and compliance   | Read-only *(optional)* | To enrich user risk profiles with device state information.                         |
| Directory user and group data   | Read-only              | To normalize user identities, correlate assignments, and improve reporting clarity. |

**Data handling:**

* The agent never modifies, creates, or deletes records.
* All processing and enrichment occur within your Microsoft 365 tenant boundary.
* Data access is performed via Microsoft Graph and Security Copilot Plugins with delegated or approved application permissions.
* Every access event is logged and traceable through Microsoft Entra audit logs for compliance.

***

### Agent Settings

The agent supports configuration parameters that control the analysis depth, processing scope, and output structure:

| Setting         | Options                                                                                                   | Description                                                         |
| --------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- |
| **Scope**       | `alerts`, `users`, `devices`, `dlp`                                                                       | Defines which Insider Risk components are included in the analysis. |
| **Mode**        | `quick`, `standard`, `deep`                                                                               | Determines the depth of enrichment and correlation.                 |
|                 | • **quick** – Basic triage of alerts using key identity and risk factors.                                 |                                                                     |
|                 | • **standard** – Balanced enrichment and scoring across identity, activity, and DLP data. *(recommended)* |                                                                     |
|                 | • **deep** – Full multi-source enrichment including device posture and anomaly analysis.                  |                                                                     |
| **Time Window** | 7, 14, 30 days                                                                                            | Defines how far back alerts and risk events are analyzed.           |

Ensure the assigned identity or administrator account has all required roles and data source permissions before initiating an analysis.

***

### Security and Compliance Considerations

* All communication between the agent, Microsoft Graph, and Defender APIs is secured using **HTTPS** and authenticated with **Microsoft identity services**.
* The agent adheres to Microsoft’s **Zero Trust** and **least privilege** design principles.
* Permissions can be reviewed, restricted, or revoked at any time through **Microsoft Entra role assignments** or **application consent management**.
* No data is written or modified during analysis, ensuring complete operational safety and compliance integrity.

***

### Next Steps

1. Confirm that the required roles (Insider Risk Management Analyst, Security Reader, and Directory Reader) are assigned to the account or identity executing the agent.
2. Verify Microsoft Purview and Defender data access via Microsoft Graph permissions.
3. Review your organization’s data governance and role assignment policies prior to enabling the agent in production.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://agents.glueckkanja.com/agents/insider-risk-profiler/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.