Required Permissions

Avanan requires these permissions to protect Office 365 OneDrive.

Note:

All these permissions are required to access your data in the Avanan Administrator Portal.

Permissions required from Microsoft

Functions performed by Avanan

Manage all access reviews

Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions, and settings in the organization without a signed-in user.

Read and write all applications

Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants.

Read and write contacts in all mail boxes

Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user.

Read and write directory data

Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.

Read and write domains

Allows the app to read and write all domain properties without a signed-in user. Also allows the app to add, verify and remove domains.

Read and write files in all site connections

Allows the app to read, create, update and delete all files in all site collections without a signed-in user.

Read and write all groups

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.

Read and write all user mailbox settings

Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail.

Read and write mail in all mailboxes

Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail.

Send mail as any user

Allows the app to send mail as any user without a signed-in user.

Read all usage reports

Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Microsoft Entra ID (formerly Azure AD).

Read and update your organization's security events

Allows the app to read your organization's security events without a signed-in user. Also allows the app to update editable properties in security events.

Read and write items in all site collections

Allows the app to create, read, update, and delete documents and list items in all site collections without a signed-in user.

Read and write all users' full profiles

Allows the app to read and update user profiles without a signed-in user.

Sign in and read user profile

Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.