Credentials and permissions list

  • Last update on April 10th, 2024

Here is the complete list of all the credentials and permissions that are requested during the onboarding process.

Credentials

Owner account

During the first steps of the onboarding process, you will be prompted to enter the User Principal Name and password for a Microsoft 365 account. 

This account serves as the ownership account and must have specific characteristics:

  • It must be a valid Microsoft Office 365 organizational account, meaning one that is associated with a work or school account.
  • The account must be granted the Global Administrator role.
  • It does not require an assigned Office 365 license.
  • It can be a cloud-only account.

Remember that the administrative credentials (Microsoft 365 admin username and password) you provide during sign-up are not stored or retained by CoreView.

 
 

Service accounts

To import reporting data, CoreView creates service accounts for your Microsoft 365 tenant.

Here are the key points of their creation:

  • They are read-only accounts, assigned the Global Reader and Reports Reader permissions.
  • The number of accounts created depends on the size of your tenant, ranging from 2 to 10
  • They are solely used for connecting to your tenant and collecting reporting data.
  • They are not authorized to make any changes within your environment.
  • They do not require Office 365 licensing. 

Remember not to delete the service accounts after onboarding, or the import of data into CoreView will stop working. Also, remember not to remove the granted permissions for the CoreView Registration App.

 
 
 

Permissions

Mandatory permissions

To grant during Microsoft 365 login

These permissions are requested during the activation link and Microsoft login step of the onboarding.

The application CoreView Portal is created as soon as the first user logs into the portal. It is required for the user to log into the CoreView web interface. It asks for the following permissions:

  • [Azure Active Directory Graph] Sign in and read user profile: allows users to sign into the app with their work or school accounts and allows the app to see basic user profile information. 
  • [Microsoft Graph] Sign in and read user profile: allows users to sign into the app with their work or school accounts and allows the app to see basic user profile information. 
 
 

To grant for Integration App

These permissions are requested during the grant consent step of onboarding.

The CoreView Integration App uses the Graph API and the Office 365 Management API to collect reporting data from your tenant. It will ask you for these permissions:

Microsoft Graph:

  • Read all groups: allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.
  • Read all directory RBAC settings: allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles, and memberships. 
  • Read organization information: allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information.
  • Read all hidden memberships: allows the app to read the memberships of hidden groups and administrative units without a signed-in user.
  • Read Microsoft Intune device configuration and policies: allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.
  • Read Microsoft Intune apps: allows the app to read the properties, group assignments, and status of apps, app configurations, and app protection policies managed by Microsoft Intune, without a signed-in user.
  • Read Microsoft Intune devices: allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.
  • Read Microsoft Intune RBAC settings: allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.
  • Read Microsoft Intune configuration: allows the app to read Microsoft Intune service properties including device enrollment and third-party service connection configuration, without a signed-in user.
  • Read all administrative units: allows the app to read administrative units and administrative unit membership without a signed-in user.
  • Read your organization's security actions: allows the app to read security actions, without a signed-in user.
  • Read your organization’s security events: allows the app to read your organization’s security events without a signed-in user.
  • Read all identity risk event information: allows the app to read the identity risk event information for your organization without a signed in user.
  • Read all identity risky user information: allows the app to read the identity risky user information for your organization without a signed-in user.
  • Read all users' full profiles: allows the app to read user profiles without a signed-in user.
  • Read all audit log data: allows the app to read and query your audit log activities, without a signed-in user.
  • Read all access reviews: allows the app to read access reviews on behalf of the signed-in user.
  • Read all usage reports: allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.
  • Read all user mailbox settings: allows the app to read the user's mailbox settings without a signed-in user. Does not include permission to send mail.
  • Read directory data: allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user.
  • Read all identity user flows: allows the app to read your organization's user flows, without a signed-in user.
  • Read all users' teamwork activity feed: allows the app to read all users' teamwork activity feed, without a signed-in user.
  • Read all applications: allows the app to read applications and service principles on behalf of the signed-in user.
  • Read all group memberships: allows the app to read memberships and basic group properties for all groups without a signed-in user.
  • Read all call records: allows the app to read call records for all calls and online meetings without a signed-in user.
  • Read all users' authentication methods:
  • Get a list of all teams: get a list of all teams, without a signed-in user.
  • Read the names and descriptions of all channels: read all channel names and channel descriptions, without a signed-in user.
  • Read the members of all teams: read the members of all teams, without a signed-in user.
  • Read the members of all channels: read the members of all channels, without a signed-in user.
  • Read service health: allows the app to read your tenant's service health information, without a signed-in user. Health information may include service issues or service health overviews.
  • Read service messages: allows the app to read your tenant's service announcement messages, without a signed-in user. Messages may include information about new or changed features.
  • Sign in and read user profile: Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information.

Office 365 Management APIs:

  • Read activity data for your organization: allows the app to read activity data for your organization.
  • Read DLP policy events including detected sensitive data: allows the app to read DLP policy events, including detected sensitive data, for your organization. 
 
 

To grant for Registration App

These permissions are requested during the grant consent step of onboarding.

The CoreView Registration App is a temporary application used to create service accounts and can be removed from tenants immediately after the signup process. It will ask you for these permissions:

  • [Microsoft Graph] Read and write all directory RBAC settings: used to assign Global Reader role to our Service Accounts 
  • [Microsoft Graph] Read and write all users' full profiles: used to create Service Accounts on Azure AD 
  • [Microsoft Graph] Sign in and read user profile: used to perform SSO from Azure AD to CoreView platform 
 
 

Additional consents

After onboarding, when your CoreView Tenant is ready and you log in to the platform, you will be able to provide:

Please be aware that the number of CoreView app integrations may vary. We assess your tenant and, based on its size and transaction volume, we dynamically generate the necessary number of apps to manage the load CoreView requires.

 

Additional resources

For more information on Microsoft rights please refer to:

Azure Active Directory Graph API

Microsoft Graph permissions reference

Office 365 Management Activity API