Required Roles and Permissions

Avanan need these roles and permissions to secure all users and remediate all threats.

Required Permissions

Avanan require the following permissions from Microsoft.

Permissions required from Microsoft 365

Claim Value

Functions performed by Avanan

Create groups

Group.Create

Creating groups while onboarding as part of setting up protection.

Manage Exchange As Application

Exchange.ManageAsApp

Used to run PowerShell commands on Exchange elements on behalf of the Check Point application.

Manage all users' identities

User.ManageIdentities.All

Used to block compromised accounts.

Read and write directory data

Directory.ReadWrite.All

Used for these:

  • Read users, groups, and other directory data during onboarding.

  • Read updates from Active Directory to influence policy assignments and create a shared mailbox to receive reported phishing emails.

Read and write domains

Domain.ReadWrite.All

In addition to Read Domains, creates a Check Point sub domain while onboarding and uses its certificate to deliver emails back to Microsoft.

Read activity data for your organization

ActivityFeed.Read

Used for these:

  • Getting user login events, Microsoft Defender events and others to present login activities and detect compromised accounts (Anomalies).

  • Getting Microsoft detection information to present for every email.

Read all audit log data

AuditLog.Read.All

Used for retrospective audit of login events to detect compromised accounts (Anomalies).

Read all applications

Application.Read.All

  • Used to read application parameters required for onboarding and off-boarding of the application.

Read all directory RBAC settings

RoleManagement.Read.Directory

Used to collect users and their roles to scope policies, enforce them, and generate user-specific reports.

Read and write all directory RBAC settings

RoleManagement.ReadWrite.Directory

Used for these:

  • In addition to Read all directory RBAC settings, assigns a role to the Check Point application while onboarding, so that it can run PowerShell commands.

Read all hidden memberships

Member.Read.Hidden

Used to collect hidden group members to support policy assignment, policy enforcement, and user-based reporting.

Read all groups

Group.Read.All

Used for mapping users to groups to properly assign policies to users.

Read contacts in all mailboxes

Contacts.Read

Used to protect contacts and scope policies for users.

Read domains

Domain.Read.All

Collect protected domains to:

  • Secure domains.

  • Skip inspection and avoid returning emails from other domains to Microsoft.

  • Allow DMARC Management for these domains.

  • Automatically apply branding to the Security Awareness Training end user experience.

Read all users' full profiles

User.Read.All

Used to collect all users for the purposes of protection and policy scoping.

Read and write all user mailbox settings

MailboxSettings.ReadWrite

Used for these:

  • Read mailbox rules to detect compromised accounts.

  • Add a mailbox rule as part of the Greymail workflow.

Read and write mail in all mailboxes

Mail.ReadWrite

Used for these:

  • Enforcing Detect and Remediate policy rules, where emails are quarantined or modified post-delivery.

  • Allowing administrators to quarantine emails that are already in the users' mailboxes.

  • Allowing administrators to restore emails to users' mailboxes.

  • Baselining communication patterns as part of Learning Mode.

Use Exchange Web Services with full access to all mailboxes

full_access_as_app

Used to send notifications to end user mailboxes and restore quarantined emails to end user mailboxes.

Send mail as any user

 

Used to send notifications to end users in scenarios where Microsoft does not support other delivery methods.

Read and write all group memberships

GroupMember.ReadWrite.All

In addition to Read all groups, when changing the users that are protected inline, a group created by Avanan gets automatically adjusted to include the new inline users.

Read all published labels and label policies for an organization

InformationProtectionPolicy.Read.All

Read Microsoft Sensitivity Labels to use them as part of the Check Point DLP policy.

Required Application Roles

Avanan need these roles during onboarding:

  • Exchange Administrator

  • Privileged Authentication Administrator

Exchange Administrator

Avanan uses the Exchange Administrator role to perform these tasks in several methods including running PowerShell commands.

  • Initial onboarding - To configure Mail Flow Rules, Connectors, and additional elements for incoming, internal, and outgoing mail flow, as required to enforce the configured DLP, Threat Detection, and Click-Time Protection policies. For more information, see Automatic Mode Onboarding - Microsoft 365 Footprint.

  • Unified Quarantine - Filter information about emails quarantined by Microsoft and, if required, restore them from the Microsoft quarantine.

  • Track Microsoft Spam Policy - To determine what Microsoft would have done with every email, Avanan checks for updates in your configured Microsoft policy for every Spam confidence level (SCL).

  • Integration with Microsoft Encryption - To enable the integration with Microsoft Encryption to support DLP policy rules with the Email is allowed. Encrypted by Microsoft workflow. For more information, see DLP Policy for Outgoing Emails.

  • Automated maintenance - To enhance troubleshooting capabilities and support infrastructure growth.

  • To support new features in the future.

Privileged Authentication Administrator

Avanan uses the Privileged Authentication Administrator role to block users and reset their passwords if they are detected as compromised. See Remediating Compromised Accounts.

Reducing the Assigned Microsoft Application Role

  • Avanan uses the Privileged Authentication Administrator role to block accounts that are detected as compromised. This role allows to block every compromised account, even if it is a Global Administrator. For more information, see Remediating Compromised Accounts.

  • After successfully Activating Office 365 Mail, administrators can reduce the Privileged Authentication Administrator role to any of the roles described in this Microsoft article.

  • Once you do that, Avanan will only be able to block compromised accounts that the selected role can reset their password (see this Microsoft article).

    Notes:

    • When reducing the application role, make sure to apply the lesser role first (see this Microsoft article) and then remove the more privileged role (see this Microsoft article).

    • If you have connected Avanan to Office 365 Mail prior to December 09, 2024, your application might be assigned with the Global Administrator role. You can manually reduce this role to Exchange Administrator, Privileged Authentication Administrator or a lesser role.

Microsoft 365 Mail - Approving User

As part of activating Office 365 Mail protection, you need a user with the Privileged Role Administrator role or higher to approve the required permissions for the application.

Use of Azure AD Graph APIs

As part of the integration with Microsoft, Avanan uses some Azure AD Graph APIs.

Since Microsoft is about to deprecate these APIs, you may receive notifications stating that a service principal (Avanan) uses an API scheduled for deprecation.

Avanan is actively migrating the remaining API calls from Azure AD Graph APIs to the newer Microsoft Graph APIs.

Avanan completes the migration before the end of June 2025.

For now, you can disregard these alerts from Microsoft.