# Permissions

### Overview

This page describes the permissions and access model for this agent.\
The agent uses **read-only access** to Microsoft 365 license, usage, and billing data through **Security Copilot Plugins**.\
It is designed to help organizations identify unused licenses, detect optimization opportunities, and forecast future license requirements — without modifying any license assignments or configurations.

***

### How It Works

The agent connects securely to your tenant through Security Copilot Plugins to read license assignments, usage reports, and user activity data.\
It analyzes these data sources to generate insights into license utilization, cost efficiency, and optimization potential across Microsoft 365 services.

All interactions follow these principles:

* **Read-only access:** The agent cannot modify, assign, or remove licenses.
* **Least privilege:** Only the roles required to read license, usage, and report data are necessary.
* **Transparency:** All access is auditable within Microsoft Entra and follows Microsoft compliance and security standards.

***

### Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

| Role                      | Description                                                             |
| ------------------------- | ----------------------------------------------------------------------- |
| **License Administrator** | Provides access to license data and assignment information.             |
| **Reports Reader**        | Grants access to Microsoft 365 usage and analytics reports.             |
| **Global Reader**         | Allows read-only visibility across services for comprehensive analysis. |

#### Optional Roles for Enhanced Analysis

| Role                   | Description                                                                                           |
| ---------------------- | ----------------------------------------------------------------------------------------------------- |
| **User Administrator** | Enables visibility into user-level license assignments and account attributes for deeper correlation. |

{% hint style="info" %}
These roles are aligned with the principle of least privilege. Adjust based on your organization’s compliance and reporting requirements.
{% endhint %}

***

### Data Access Transparency

The following table outlines what data the agent can access and its purpose.

| Data Type                            | Access Level | Purpose                                                               |
| ------------------------------------ | ------------ | --------------------------------------------------------------------- |
| **License assignments and SKU data** | Read-only    | To identify unused or underutilized licenses across users and groups. |
| **Usage reports**                    | Read-only    | To assess active service usage and consumption trends over time.      |
| **Billing and subscription data**    | Read-only    | To correlate license utilization with cost and subscription terms.    |
| **Audit logs and user activity**     | Read-only    | To confirm active usage and detect inactive or low-activity accounts. |

**Data handling:**

* The agent does **not** modify or export customer data outside the tenant boundary.
* All access occurs through **Security Copilot Plugins** using delegated or application-level permissions.
* Access activity is logged in **Microsoft Entra audit logs** for full traceability.

***

### Agent Usage

When running the agent, you can request specific analyses or allow it to automatically assess all available data.

#### Example Queries

* `"Analyze my license utilization"`
* `"Find unused Microsoft 365 licenses"`
* `"Show me cost savings opportunities"`
* `"Which users can be downgraded from E5 to E3?"`
* `"Identify inactive users consuming licenses"`
* `"Forecast my license needs for next year"`

The agent automatically reviews all licenses and user data unless a specific SKU or group is defined.

***

### Data Requirements

To ensure accurate results, verify that:

* Usage reporting is enabled in the **Microsoft 365 admin center**.
* At least **30 to 90 days of usage data** is available.
* License assignments are current in **Microsoft Entra ID**.
* User activity (sign-ins, service usage) is being tracked consistently.

***

### Security and Compliance Considerations

* All communication through Security Copilot Plugins is encrypted using HTTPS and authenticated via Microsoft identity services.
* The agent adheres to Microsoft’s **zero trust** and **least privilege** principles.
* Access can be reviewed or revoked at any time through **Entra ID role assignments** or **application consent management**.

***

### Next Steps

* Confirm that the administrator account has all required roles assigned.
* Review the agent’s analysis results in Security Copilot to identify optimization recommendations and cost-saving opportunities.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://agents.glueckkanja.com/agents/license-optimizer/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.