Permissions
Overview
This page describes the permissions and access model for this agent. The agent uses read-only access to Microsoft 365 license, usage, and billing data through Security Copilot Plugins. It is designed to help organizations identify unused licenses, detect optimization opportunities, and forecast future license requirements — without modifying any license assignments or configurations.
How It Works
The agent connects securely to your tenant through Security Copilot Plugins to read license assignments, usage reports, and user activity data. It analyzes these data sources to generate insights into license utilization, cost efficiency, and optimization potential across Microsoft 365 services.
All interactions follow these principles:
Read-only access: The agent cannot modify, assign, or remove licenses.
Least privilege: Only the roles required to read license, usage, and report data are necessary.
Transparency: All access is auditable within Microsoft Entra and follows Microsoft compliance and security standards.
Required Entra ID Roles
Assign the following roles to the administrator account that installs and runs the agent:
License Administrator
Provides access to license data and assignment information.
Reports Reader
Grants access to Microsoft 365 usage and analytics reports.
Global Reader
Allows read-only visibility across services for comprehensive analysis.
Optional Roles for Enhanced Analysis
User Administrator
Enables visibility into user-level license assignments and account attributes for deeper correlation.
Data Access Transparency
The following table outlines what data the agent can access and its purpose.
License assignments and SKU data
Read-only
To identify unused or underutilized licenses across users and groups.
Usage reports
Read-only
To assess active service usage and consumption trends over time.
Billing and subscription data
Read-only
To correlate license utilization with cost and subscription terms.
Audit logs and user activity
Read-only
To confirm active usage and detect inactive or low-activity accounts.
Data handling:
The agent does not modify or export customer data outside the tenant boundary.
All access occurs through Security Copilot Plugins using delegated or application-level permissions.
Access activity is logged in Microsoft Entra audit logs for full traceability.
Agent Usage
When running the agent, you can request specific analyses or allow it to automatically assess all available data.
Example Queries
"Analyze my license utilization""Find unused Microsoft 365 licenses""Show me cost savings opportunities""Which users can be downgraded from E5 to E3?""Identify inactive users consuming licenses""Forecast my license needs for next year"
The agent automatically reviews all licenses and user data unless a specific SKU or group is defined.
Data Requirements
To ensure accurate results, verify that:
Usage reporting is enabled in the Microsoft 365 admin center.
At least 30 to 90 days of usage data is available.
License assignments are current in Microsoft Entra ID.
User activity (sign-ins, service usage) is being tracked consistently.
Security and Compliance Considerations
All communication through Security Copilot Plugins is encrypted using HTTPS and authenticated via Microsoft identity services.
The agent adheres to Microsoft’s zero trust and least privilege principles.
Access can be reviewed or revoked at any time through Entra ID role assignments or application consent management.
Next Steps
Confirm that the administrator account has all required roles assigned.
Review the agent’s analysis results in Security Copilot to identify optimization recommendations and cost-saving opportunities.
Last updated
Was this helpful?