Office 365 Mail - Required Roles and Permissions

Avanan needs these roles and permissions to secure all users and remediate all threats.

Required Permissions

Avanan requires the following permissions from Microsoft.

Permissions required from Microsoft 365

Claim Value

Functions performed by Avanan

Create groups

Group.Create

Creating groups while onboarding as part of setting up protection.

Manage Exchange As Application

Exchange.ManageAsApp

Used to run PowerShell commands on Exchange elements on behalf of the Check Point application.

Manage all users' identities

User.ManageIdentities.All

Used to block compromised accounts.

Read activity data for your organization

ActivityFeed.Read

Used for these:

  • Getting user login events, Microsoft Defender events and others to present login activities and detect compromised accounts (Anomalies).

  • Getting Microsoft detection information to present for every email.

Read all audit log data

AuditLog.Read.All

Used for retrospective audit of login events to detect compromised accounts (Anomalies).

Read all applications

Application.Read.All

  • Used to read application parameters required for onboarding and off-boarding of the application.

Read all directory RBAC settings

RoleManagement.Read.Directory

Used to collect users and their roles to scope policies, enforce them, and generate user-specific reports.

Read and write all directory RBAC settings

RoleManagement.ReadWrite.Directory

Used for these:

  • In addition to Read all directory RBAC settings, assigns a role to the Check Point application while onboarding, so that it can run PowerShell commands.

Read all hidden memberships

Member.Read.Hidden

Used to collect hidden group members to support policy assignment, policy enforcement, and user-based reporting.

Read all groups

Group.Read.All

Used for mapping users to groups to properly assign policies to users.

Read contacts in all mailboxes

Contacts.Read

Used to protect contacts and scope policies for users.

Read and write calendars in all mailboxes

Calendars.ReadWrite

Used to remove calendar invites added by malicious emails.

Read domains

Domain.Read.All

Collect protected domains to:

  • Secure domains.

  • Skip inspection and avoid returning emails from other domains to Microsoft.

  • Allow DMARC Management for these domains.

  • Automatically apply branding to the Security Awareness Training end user experience.

Read and write domains

Domain.ReadWrite.All

In addition to Read Domains, it creates a Check Point subdomain while onboarding and uses its certificate to deliver emails back to Microsoft.

Read all users' full profiles

User.Read.All

Used to collect all users for the purposes of protection and policy scoping.

Read and write all user mailbox settings

MailboxSettings.ReadWrite

Used for these:

  • Read mailbox rules to detect compromised accounts.

  • Add a mailbox rule as part of the Greymail workflow.

Read and write mail in all mailboxes

Mail.ReadWrite

Used for these:

  • Enforcing Detect and Remediate policy rules, where emails are quarantined or modified post-delivery.

  • Allowing administrators to quarantine emails that are already in the users' mailboxes.

  • Allowing administrators to restore emails to users' mailboxes.

  • Baselining communication patterns as part of Learning Mode.

Use Exchange Web Services with full access to all mailboxes

full_access_as_app

Used to send notifications to end user mailboxes and restore quarantined emails to end user mailboxes.

Send mail as any user

Mail.Send

Used to send notifications to end users in scenarios where Microsoft does not support other delivery methods.

Read and write all group memberships

GroupMember.ReadWrite.All

In addition to Read all groups, when changing the users that are protected inline, a group created by Avanan gets automatically adjusted to include the new inline users.

Permissions required from Microsoft 365

Claim Value

Functions performed by Avanan