Required Application Roles
Avanan needs these roles during onboarding:
-
Exchange Administrator
-
Privileged Authentication Administrator
Exchange Administrator
Avanan uses the Exchange Administrator role to perform these tasks in several methods, including running PowerShell commands.
When onboarding, Avanan assumes the Exchange Administrator role. To ensure successful onboarding, do not change the default permissions assigned to the Exchange Administrator role.
If you modify the default permissions of Exchange RBAC role groups or the Microsoft Entra ID role permissions assigned to the Exchange Administrator role, the system does not support onboarding, and it may fail.
-
Initial onboarding - To configure Mail Flow Rules (Transport Rules), Connectors, and additional elements for incoming, internal, and outgoing mail flow, as required to enforce the configured DLP, Threat Detection, and Click-Time Protection policies. For more information, see Automatic Mode Onboarding - Microsoft 365 Footprint.
-
Unified Quarantine - Filter information about emails quarantined by Microsoft and, if required, restore them from the Microsoft quarantine.
-
Track Microsoft Spam Policy - To determine what Microsoft would have done with every email, Avanan checks for updates in your configured Microsoft policy for every Spam confidence level (SCL).
-
Integration with Microsoft Encryption - To enable the integration with Microsoft Encryption to support DLP policy rules with the Email is allowed. Encrypted by Microsoft workflow. For more information, see DLP Policy for Outgoing Emails.
-
Automated maintenance - To enhance troubleshooting capabilities and support infrastructure growth.
-
To support new features in the future.
Privileged Authentication Administrator
Avanan uses the Privileged Authentication Administrator role to block users and reset their passwords if they are detected as compromised. See Remediating Compromised Accounts.