Manual Integration with Office 365 Mail - Required Permissions

As these configurations are not managed by Avanan, Manual mode require less permissions when compared with Automatic mode.

API Permissions - Display Name

Permissions required from Office 365 for manual integration

Functions performed by Avanan

Read all audit log data

AuditLog.Read.All

Used to detect anomalous user behavior and trigger workflows for compromised accounts.

Used to protect contacts and scope policies for users.

Read contacts in all mailboxes

Contacts.Read

Read and write calendars in all mailboxes

Calendars.ReadWrite

Used to remove calendar invites added by malicious emails.

Read domains

Domain.Read.All

Collect protected domains to:

  • Secure domains.

  • Skip inspection and avoid returning emails from other domains to Microsoft.

  • Allow DMARC Management for these domains.

  • Automatically apply branding to the Security Awareness Training end user experience.

Real all groups

Group.Read.All

Used for mapping users to groups to properly assign policies to users.

Read all published lablels and label policies for an organization

InformationProtectionPolicy.Read.All

Read Microsoft Sensitivity Labels to use them as part of the Check PointDLP policy.

Read and write mail in all mailboxes

Mail.ReadWrite

Used for these:

  • Enforcing Detect and Remediate policy rules, where emails are quarantined or modified post-delivery.

  • Allowing administrators to quarantine emails that are already in the users' mailboxes.

  • Allowing administrators to restore emails to users' mailboxes.

  • Baselining communication patterns as part of Learning Mode.

Read and write all user mailboxes settings

MailboxSettings.ReadWrite

Used for these:

  • Read mailbox rules to detect compromised accounts.

  • Add a mailbox rule as part of the Greymail workflow.

Read all hidden memberships

Member.Read.Hidden

Used to collect hidden group members to support policy assignment, policy enforcement, and user-based reporting.

Read all directory RBAC settings

RoleManagement.Read.Directory

Used to collect users and their roles to scope policies, enforce them, and generate user-specific reports.

Real all users' full profiles

User.Read.All

Used to collect all users for the purposes of protection and policy scoping.

Use Exchange Web services with full access to all mailboxes

full_access_as_app (Office 365 Exchange Online)

Required to allow the execution of other Microsoft Exchange APIs.

Read and write mail in all mailboxes

Mail.ReadWrite (Office 365 Exchange Online)

Used for these:

  • Enforcing Detect and Remediate policy rules, where emails are quarantined or modified post-delivery.

  • Allowing administrators to quarantine emails that are already in the users' mailboxes.

  • Allowing administrators to restore emails to users' mailboxes.

  • Baselining communication patterns as part of Learning Mode.

Read activity data for your organization

ActivityFeed.Read (Office 365 Management APIs)

Collecting user login events, Microsoft defender events and Active Directory hierarchy changes to detect compromised accounts and maintain an up-to-date user hierarchy.

Send mail as any user

Send mail as any user

Used to send notifications to end users in scenarios where Microsoft does not support other delivery methods.