HomeDocsPermissions

Permissions

Exactly which Microsoft permissions ScanPosture asks for, grouped by batch — and importantly, what each scope does NOT grant. Every scope is read-only; there are no write or modify scopes anywhere in the request set.

Last updated 2026-04-25

Read-only · zero write scopes

Every permission below is a read-scoped Microsoft Graph, Exchange Online, or SharePoint Online permission. There are no .Write, .ReadWrite, .Manage (other than Exchange’s read-only manage-as-app), or .Send scopes anywhere in the request set. ScanPosture is incapable of changing your tenant.

How to read this page

ScanPosture groups its permission requests into batches. Each batch unlocks a related family of checks. Your Global Administrator approves a batch the first time a check from that batch is run, so you can stage adoption — for example, run with batch A only on day one, then add batch C a week later when you’re ready to scan SharePoint and Teams settings.

Two batches (E and F) need a manual role assignment in addition to admin consent. Those are flagged below.

Batch A — Core Entra ID & directory

The base permission set. Powers identity, access, conditional-access, application, and risk checks.

  • Directory.Read.All

    What it lets us read

    Users, groups, applications, service principals, organisation, domains, directory roles.

    What it does NOT grant

    Cannot create, modify, or delete any directory object.
  • AuditLog.Read.All

    What it lets us read

    Sign-in logs and directory audit logs (used for "has any admin signed in via legacy auth in 30 days" style checks).

    What it does NOT grant

    No access to mailbox content, document content, or message content.
  • IdentityRiskyUser.Read.All

    What it lets us read

    Microsoft-flagged risky users and risk events.

    What it does NOT grant

    Cannot dismiss or remediate risk; read-only.
  • Policy.Read.All

    What it lets us read

    Conditional access policies, authentication methods policy.

    What it does NOT grant

    Cannot edit policies; read-only.
  • RoleManagement.Read.Directory

    What it lets us read

    Directory role assignments — who has Global Admin, who has PIM eligibility, etc.

    What it does NOT grant

    Cannot grant, modify, or remove role assignments.
  • IdentityProvider.Read.All

    What it lets us read

    External identity provider configuration (B2B / B2C federated providers).

    What it does NOT grant

    Cannot add or remove identity providers.
  • SecurityEvents.Read.All

    What it lets us read

    Microsoft Defender / security alert metadata.

    What it does NOT grant

    Cannot dismiss, action, or modify alerts.

Batch C — SharePoint, Teams & Exchange posture

23 additional checks covering email security, collaboration settings, and data sharing.

  • Sites.Read.All

    What it lets us read

    SharePoint and OneDrive site metadata, sharing settings.

    What it does NOT grant

    Cannot read document content. Cannot modify sharing.
  • TeamSettings.Read.All

    What it lets us read

    Microsoft Teams team settings (guest access, member roles).

    What it does NOT grant

    Cannot read messages or files.
  • Channel.ReadBasic.All

    What it lets us read

    Channel names, IDs, membership type per team.

    What it does NOT grant

    No channel message content.
  • TeamsAppInstallation.ReadForTeam.All

    What it lets us read

    Which Teams apps are installed where (used for app-governance checks).

    What it does NOT grant

    Cannot install, remove, or update any app.
  • Mail.Read

    What it lets us read

    Mailbox configuration only — used to evaluate inbox forwarding rules and similar settings.

    What it does NOT grant

    No reading of message bodies, attachments, or subjects in user-facing reports. We never surface mail content.
  • MailboxSettings.Read

    What it lets us read

    Mailbox-level settings: language, automatic replies, working hours, forwarding state.

    What it does NOT grant

    No write of any setting; no message content.

Why Mail.Read is on the list

ScanPosture uses Mail.Read exclusively to evaluate inbox forwarding rules — a common attacker persistence technique. The application never displays, exports, indexes, or stores message content. If your organisation is unable to grant Mail.Read, omit batch C and the related forwarding-rule check will skip cleanly with a documented reason.

Batch D — Usage reports

Activity-based checks (e.g. inactive Teams, dormant app registrations) that otherwise silently skip.

  • Reports.Read.All

    What it lets us read

    Microsoft 365 usage reports — Teams activity, app sign-in activity.

    What it does NOT grant

    No mailbox content; aggregate usage only.

Batch E — Exchange Online admin REST

Six checks that use Exchange admin cmdlets through the REST admin API (mailbox auditing state, transport rules, distribution lists accepting external mail, etc.).

  • Exchange.ManageAsApp

    What it lets us read

    Run read-only Exchange admin cmdlets (Get-Mailbox, Get-TransportRule, Get-DistributionGroup) as the application identity.

    What it does NOT grant

    Even though the scope is named "ManageAsApp", ScanPosture only invokes Get-* cmdlets — never Set-* or Remove-*.

Manual setup required

In addition to admin consent, you must assign the Exchange Administrator directory role to the ScanPosture service principal in Microsoft Entra admin center → Identity → Roles & admins → Exchange Administrator → Add assignments. Without the role, the cmdlet RBAC layer rejects every call even with Exchange.ManageAsApp granted. ScanPosture detects the missing role and surfaces the affected checks as skipped, never as failed.

Batch F — Azure Resource Manager (optional)

Two checks that read Entra ID diagnostic-settings under the Microsoft.aadiam provider.

No API permissions — RBAC only

Batch F has zero API permissions. ARM authorises by Azure RBAC. The only setup is assigning the built-in Reader role to the ScanPosture service principal at the tenant-root management group scope: Azure portal → Management groups → Tenant Root Group → Access control (IAM) → Add role assignment → Reader. Skip this batch and the two diagnostic-setting checks skip cleanly.

Batch G — SharePoint Online tenant admin

Three checks that read tenant-wide sharing & sync settings via the SPO REST tenant-admin endpoint.

  • Sites.FullControl.All

    What it lets us read

    Read tenant-wide sharing settings (guest-link expiration, default sharing-link type, OneDrive device restriction). This is the SharePoint-native permission, not the Graph one — Graph Sites.Read.All does not grant tenant-admin reads.

    What it does NOT grant

    Despite the scary name: ScanPosture only invokes the read endpoints on the <Code>SPO.Tenant</Code> object. No site provisioning, no permission changes, no content modification.

Why the scope name is misleading

SharePoint Online predates fine-grained scopes. Sites.FullControl.Allis the only scope that exposes tenant-admin sharing settings — there’s no read-only equivalent. ScanPosture’s code path for batch G is restricted to GET requests against the tenant-admin endpoint and is covered by the same audit log as every other Graph call. If your organisation cannot grant this scope, omit batch G and the three tenant-sharing checks skip with a documented reason.

Granting consent

Admin consent for every batch is granted via the standard Microsoft /adminconsent flow. ScanPosture redirects your Global Administrator to the Microsoft consent page at the start of onboarding. You’ll see ScanPosture listed as a Microsoft-verified publisher— that’s the green tick badge on the consent screen. Consent is recorded against the tenant, not against an individual user.

Delegating consent to a Global Admin

If the person setting ScanPosture up isn’t a Global Administrator on your Microsoft tenant, they can generate a one-time tokenised consent link from Settings → Connect Microsoft and email it to a colleague who is. That colleague clicks through to a ScanPosture-hosted explainer page and onwards to the same Microsoft admin-consent flow above — without needing a ScanPosture account. The link expires after 72 hours, can only be used once, and can be revoked at any time. See Getting started for the full flow.

Revoking access

You can revoke ScanPosture’s access at any time:

  • Microsoft Entra admin center → Identity → Applications → Enterprise applications → ScanPosture → Permissions → remove the granted permissions, OR
  • Microsoft Entra admin center → Identity → Applications → Enterprise applications → ScanPosture → delete the application registration outright.

Revocation is immediate and total — every subsequent Graph call from ScanPosture will return 401 and the affected checks will surface as skipped on the next scan attempt. ScanPosture also exposes a one-click Disconnect tenant button inside the app itself for the same effect.

Want the full source? The exact list above is generated from our app’s permission manifest — the same file the production app reads at consent time, so this page can’t drift from the running configuration.

Still got questions? Email hello@scanposture.com — UK working days, real human, same-day reply.