Office 365 Mail - Required Roles and Permissions
Avanan needs these roles and permissions to secure all users and remediate all threats.
Required Permissions
Avanan requires the following permissions from Microsoft.
|
Permissions required from Microsoft 365 |
Claim Value |
Functions performed by Avanan |
|---|---|---|
|
Create groups |
Group.Create |
Creating groups while onboarding as part of setting up protection. |
|
Manage Exchange As Application |
Exchange.ManageAsApp |
Used to run PowerShell commands on Exchange elements on behalf of the Check Point application. |
|
Manage all users' identities |
User.ManageIdentities.All |
Used to block compromised accounts. |
|
Read activity data for your organization |
ActivityFeed.Read |
Used for these:
|
|
Read all audit log data |
AuditLog.Read.All |
Used for retrospective audit of login events to detect compromised accounts (Anomalies). |
|
Read all applications |
Application.Read.All |
|
|
Read all directory RBAC settings |
RoleManagement.Read.Directory |
Used to collect users and their roles to scope policies, enforce them, and generate user-specific reports. |
|
Read and write all directory RBAC settings |
RoleManagement.ReadWrite.Directory |
Used for these:
|
|
Read all hidden memberships |
Member.Read.Hidden |
Used to collect hidden group members to support policy assignment, policy enforcement, and user-based reporting. |
|
Read all groups |
Group.Read.All |
Used for mapping users to groups to properly assign policies to users. |
|
Read contacts in all mailboxes |
Contacts.Read |
Used to protect contacts and scope policies for users. |
|
Read and write calendars in all mailboxes |
Calendars.ReadWrite |
Used to remove calendar invites added by malicious emails. |
|
Read domains |
Domain.Read.All |
Collect protected domains to:
|
|
Read and write domains |
Domain.ReadWrite.All |
In addition to Read Domains, it creates a Check Point subdomain while onboarding and uses its certificate to deliver emails back to Microsoft. |
|
Read all users' full profiles |
User.Read.All |
Used to collect all users for the purposes of protection and policy scoping. |
|
Read and write all user mailbox settings |
MailboxSettings.ReadWrite |
Used for these:
|
|
Read and write mail in all mailboxes |
Mail.ReadWrite |
Used for these:
|
|
Use Exchange Web Services with full access to all mailboxes |
full_access_as_app |
Used to send notifications to end user mailboxes and restore quarantined emails to end user mailboxes. |
|
Send mail as any user |
Mail.Send |
Used to send notifications to end users in scenarios where Microsoft does not support other delivery methods. |
|
Read and write all group memberships |
GroupMember.ReadWrite.All |
In addition to Read all groups, when changing the users that are protected inline, a group created by Avanan gets automatically adjusted to include the new inline users. |
|
Permissions required from Microsoft 365 |
Claim Value |
Functions performed by Avanan |