Manual Integration with Office 365 Mail - Required Permissions
As these configurations are not managed by Avanan, Manual mode require less permissions when compared with Automatic mode.
API Permissions - Display Name |
Permissions required from Office 365 for manual integration |
Functions performed by Avanan |
|---|---|---|
Read all audit log data |
AuditLog.Read.All |
Used to detect anomalous user behavior and trigger workflows for compromised accounts. Used to protect contacts and scope policies for users. |
Read contacts in all mailboxes |
Contacts.Read |
|
Read and write calendars in all mailboxes |
Calendars.ReadWrite |
Used to remove calendar invites added by malicious emails. |
Read domains |
Domain.Read.All |
Collect protected domains to:
|
Real all groups |
Group.Read.All |
Used for mapping users to groups to properly assign policies to users. |
Read all published lablels and label policies for an organization |
InformationProtectionPolicy.Read.All |
Read Microsoft Sensitivity Labels to use them as part of the Check PointDLP policy. |
Read and write mail in all mailboxes |
Mail.ReadWrite |
Used for these:
|
Read and write all user mailboxes settings |
MailboxSettings.ReadWrite |
Used for these:
|
Read all hidden memberships |
Member.Read.Hidden |
Used to collect hidden group members to support policy assignment, policy enforcement, and user-based reporting. |
Read all directory RBAC settings |
RoleManagement.Read.Directory |
Used to collect users and their roles to scope policies, enforce them, and generate user-specific reports. |
Real all users' full profiles |
User.Read.All |
Used to collect all users for the purposes of protection and policy scoping. |
Use Exchange Web services with full access to all mailboxes |
full_access_as_app (Office 365 Exchange Online) |
Required to allow the execution of other Microsoft Exchange APIs. |
Read and write mail in all mailboxes |
Mail.ReadWrite (Office 365 Exchange Online) |
Used for these:
|
Read activity data for your organization |
ActivityFeed.Read (Office 365 Management APIs) |
Collecting user login events, Microsoft defender events and Active Directory hierarchy changes to detect compromised accounts and maintain an up-to-date user hierarchy. |
Send mail as any user |
Send mail as any user |
Used to send notifications to end users in scenarios where Microsoft does not support other delivery methods. |