List of CoreView Enterprise applications

  • Last update on June 9th, 2025

Table of Contents

CoreView adds Enterprise Applications to your Entra ID for proper functioning. 
You can find them in the Enterprise applications section in your Microsoft Entra admin center.

Some are added during onboarding and are mandatory, while others are optional and can be added or removed directly from CoreView. To use these applications, permissions must be granted. 

Here is the list of the apps, their purpose, and links to complete and detailed lists of the permissions to be provided:

Onboarding

CoreView utilizes the following applications to onboard and import data from your Microsoft 365 tenant. Granting consent to these applications is mandatory.

CoreView Portal

These permissions are requested during the activation link and Microsoft 365 login step of the onboarding.

The application CoreView Portal is created as soon as the first user logs into the portal. It is required for the user to log into the CoreView web interface. 

Permissions list

The CoreView Portal app asks for the following permissions:

  • Delegated - [Azure Active Directory Graph] Sign in and read user profile: allows users to sign into the app with their work or school accounts and allows the app to see basic user profile information. 
  • Delegated - [Microsoft Graph] Sign in and read user profile: allows users to sign into the app with their work or school accounts and allows the app to see basic user profile information. 
 
 

CoreView API Integration (Integration App)

These permissions are requested during the consent-granting step of onboarding, which is necessary to complete the onboarding process and ensure the proper functioning of CoreView.

The CoreView Integration App uses the Graph API and the Office 365 Management API to collect reporting data from your tenant. By using this app, you provide consent to a set of permissions necessary for accessing these APIs.

  • See the Grant consent article in the onboarding documentation for instructions on granting permissions to the Integration App.

Permissions list

The Integration App asks for the following permissions:

Microsoft Graph:

  • Application - Read all groups: allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.
  • Application - Read all directory RBAC settings: allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles, and memberships. 
  • Application - Read organization information: allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information.
  • Application - Read all hidden memberships: allows the app to read the memberships of hidden groups and administrative units without a signed-in user.
  • Application - Read Microsoft Intune device configuration and policies: allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.
  • Application - Read Microsoft Intune apps: allows the app to read the properties, group assignments, and status of apps, app configurations, and app protection policies managed by Microsoft Intune, without a signed-in user.
  • Application - Read Microsoft Intune devices: allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.
  • Application - Read Microsoft Intune RBAC settings: allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.
  • Application - Read Microsoft Intune configuration: allows the app to read Microsoft Intune service properties including device enrollment and third-party service connection configuration, without a signed-in user.
  • Application - Read all administrative units: allows the app to read administrative units and administrative unit membership without a signed-in user.
  • Application - Read your organization's security actions: allows the app to read security actions, without a signed-in user.
  • Application - Read your organization’s security events: allows the app to read your organization’s security events without a signed-in user.
  • Application - Read all identity risk event information: allows the app to read the identity risk event information for your organization without a signed in user.
  • Application - Read all identity risky user information: allows the app to read the identity risky user information for your organization without a signed-in user.
  • Application - Read all users' full profiles: allows the app to read user profiles without a signed-in user.
  • Application - Read all audit log data: allows the app to read and query your audit log activities, without a signed-in user.
  • Application - Read all access reviews: allows the app to read access reviews on behalf of the signed-in user.
  • Application - Read all usage reports: allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.
  • Application - Read all user mailbox settings: allows the app to read the user's mailbox settings without a signed-in user. Does not include permission to send mail.
  • Application - Read directory data: allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user.
  • Application - Read all identity user flows: allows the app to read your organization's user flows, without a signed-in user.
  • Application - Read all users' teamwork activity feed: allows the app to read all users' teamwork activity feed, without a signed-in user.
  • Application - Read all applications: allows the app to read applications and service principles on behalf of the signed-in user.
  • Application - Read all group memberships: allows the app to read memberships and basic group properties for all groups without a signed-in user.
  • Application - Read all call records: allows the app to read call records for all calls and online meetings without a signed-in user.
  • Application - Read all users' authentication methods:
  • Application - Get a list of all teams: get a list of all teams, without a signed-in user.
  • Application - Read the names and descriptions of all channels: read all channel names and channel descriptions, without a signed-in user.
  • Application - Read the members of all teams: read the members of all teams, without a signed-in user.
  • Application - Read the members of all channels: read the members of all channels, without a signed-in user.
  • Application - Read service health: allows the app to read your tenant's service health information, without a signed-in user. Health information may include service issues or service health overviews.
  • Application - Read service messages: allows the app to read your tenant's service announcement messages, without a signed-in user. Messages may include information about new or changed features.
  • Application - Sign in and read user profile: Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information.

Office 365 Management APIs:

  • Application - Read activity data for your organization: allows the app to read activity data for your organization.
  • Application - Read DLP policy events including detected sensitive data: allows the app to read DLP policy events, including detected sensitive data, for your organization. 
 
 

CoreView Registration (Registration App)

These permissions are requested during the consent-granting step of the onboarding process

The CoreView Registration App is a temporary application used to create service accounts, which can be removed from tenants immediately after the signup process.

  • If you completed onboarding after august 2024, the Registration App will be automatically removed once the process is finished.
  • If, however, you completed onboarding before august 2024, you can manually remove the app directly from Azure after onboarding is complete.
 

In addition to onboarding, there are some processes that require permissions from the Registration App. In any case, the app will be automatically deleted at the end of the process.

 

This app is necessary to complete the onboarding process and ensure the proper functioning of CoreView. By using this app, specific read-only, non-interactive accounts are created to connect to your tenant and collect reporting data.

Please note that service accounts cannot be removed; doing so will prevent the application from working properly. Alternatively, you can manually enter previously created service accounts in the Microsoft 365 Admin Center without granting CoreView any additional permissions.

  • For more information about what these accounts are, their purpose and characteristics, and how you can identify them in Entra ID, see the Grant consent article in the onboarding documentation.
  • Instructions on how to create service accounts automatically and manually are provided in the Grant consent article in the onboarding documentation.

Permissions list

The Registration App asks for the following permissions:

  • Application - [Microsoft Graph] Read and write all applications: used to create Graph Management single tenant application
  • Application - [Microsoft Graph] Read and write all directory RBAC settings: used to assign Global Reader role to our Service Accounts 
  • Application - [Microsoft Graph] Read and write all users' full profiles: used to create Service Accounts on Azure AD 
  • Delegated - [Microsoft Graph] Sign in and read user profile: used to perform SSO from Azure AD to CoreView platform
 
 

Configuration Manager Management App

This app enables you to onboard Configuration Manager and provide all necessary permissions for its operation within the tenant.

Permissions list

The Configuration Manager Management App asks for the following permissions:

Azure Service Management:

  • Delegated – user_impersonation: access Azure Resource Manager as organization users

Microsoft Graph:

  • Application – AccessReview.ReadWrite.All: manage all access reviews
  • Delegated – AccessReview.ReadWrite.All: manage all access reviews that user can access
  • Application – Agreement.ReadWrite.All: read and write all terms of use agreements
  • Delegated – Agreement.ReadWrite.All: read and write all terms of use agreements
  • Application – Application.ReadWrite.All: read and write all applications
  • Delegated – Application.ReadWrite.All: read and write all applications
  • Application – AppRoleAssignment.ReadWrite.All: manage app permission grants and app role assignments
  • Delegated – AppRoleAssignment.ReadWrite.All: manage app permission grants and app role assignments
  • Application – AuditLog.Read.All: read all audit log data
  • Delegated – AuditLog.Read.All: read audit log data
  • Application – CustomSecAttributeDefinition.ReadWrite.All: read and write custom security attribute definitions
  • Delegated – CustomSecAttributeDefinition.ReadWrite.All: read and write custom security attribute definitions
  • Application – DeviceManagementApps.ReadWrite.All: read and write Microsoft Intune apps
  • Delegated – DeviceManagementApps.ReadWrite.All: read and write Microsoft Intune apps
  • Application – DeviceManagementConfiguration.ReadWrite.All: read and write Microsoft Intune device configuration and policies
  • Delegated – DeviceManagementConfiguration.ReadWrite.All: read and write Microsoft Intune device configuration and policies
  • Application – DeviceManagementManagedDevices.ReadWrite.All: read and write Microsoft Intune devices
  • Delegated – DeviceManagementManagedDevices.ReadWrite.All: read and write Microsoft Intune devices
  • Application – DeviceManagementRBAC.ReadWrite.All: read and write Microsoft Intune RBAC settings
  • Delegated – DeviceManagementRBAC.ReadWrite.All: read and write Microsoft Intune RBAC settings
  • Application – DeviceManagementServiceConfig.ReadWrite.All: read and write Microsoft Intune configuration
  • Delegated – DeviceManagementServiceConfig.ReadWrite.All: read and write Microsoft Intune configuration
  • Application – Directory.ReadWrite.All: read and write directory data
  • Delegated – Directory.ReadWrite.All: read and write directory data
  • Application – Domain.ReadWrite.All: read and write domains
  • Delegated – Domain.ReadWrite.All: read and write domains
  • Application – EntitlementManagement.ReadWrite.All: read and write all entitlement management resources
  • Delegated – EntitlementManagement.ReadWrite.All: read and write entitlement management resources
  • Application – Group.ReadWrite.All: read and write all groups
  • Delegated – Group.ReadWrite.All: read and write all groups
  • Application – IdentityRiskEvent.ReadWrite.All: read and write all risk detection information
  • Delegated – IdentityRiskEvent.ReadWrite.All: read and write risk event information
  • Application – IdentityRiskyUser.Read.All: read all identity risky user information
  • Delegated – IdentityRiskyUser.Read.All: read identity risky user information
  • Application – OnPremDirectorySynchronization.ReadWrite.All: read and write all on-premises directory synchronization information
  • Delegated – OnPremDirectorySynchronization.ReadWrite.All: read and write all on-premises directory synchronization information
  • Application – Organization.ReadWrite.All: read and write organization information
  • Delegated – Organization.ReadWrite.All: read and write organization information
  • Application – Policy.Read.All: read your organization's policies
  • Delegated – Policy.Read.All: read your organization's policies
  • Application – Policy.ReadWrite.AccessReview: read and write your organization's directory access review default policy
  • Delegated – Policy.ReadWrite.AccessReview: read and write your organization's directory access review default policy
  • Application – Policy.ReadWrite.ApplicationConfiguration: read and write your organization's application configuration policies
  • Delegated – Policy.ReadWrite.ApplicationConfiguration: read and write your organization's application configuration policies
  • Application – Policy.ReadWrite.AuthenticationFlows: read and write authentication flow policies
  • Delegated – Policy.ReadWrite.AuthenticationFlows: read and write authentication flow policies
  • Application – Policy.ReadWrite.AuthenticationMethod: read and write all authentication method policies
  • Delegated – Policy.ReadWrite.AuthenticationMethod: read and write authentication method policies
  • Application – Policy.ReadWrite.Authorization: read and write your organization's authorization policy
  • Delegated – Policy.ReadWrite.Authorization: read and write your organization's authorization policy
  • Application – Policy.ReadWrite.ConditionalAccess: read and write your organization's conditional access policies
  • Delegated – Policy.ReadWrite.ConditionalAccess: read and write your organization's conditional access policies
  • Application – Policy.ReadWrite.ConsentRequest: read and write your organization's consent request policy
  • Delegated – Policy.ReadWrite.ConsentRequest: read and write consent request policy
  • Application – Policy.ReadWrite.CrossTenantAccess: read and write your organization's cross tenant access policies
  • Delegated – Policy.ReadWrite.CrossTenantAccess: read and write your organization's cross tenant access policies
  • Application – Policy.ReadWrite.DeviceConfiguration: read and write your organization's device configuration policies
  • Application – Policy.ReadWrite.FeatureRollout: read and write feature rollout policies
  • Delegated – Policy.ReadWrite.FeatureRollout: read and write your organization's feature rollout policies
  • Application – Policy.ReadWrite.IdentityProtection: read and write your organization’s identity protection policy
  • Delegated – Policy.ReadWrite.IdentityProtection: read and write your organization’s identity protection policy
  • Application – Policy.ReadWrite.PermissionGrant: manage consent and permission grant policies
  • Delegated – Policy.ReadWrite.PermissionGrant: manage consent and permission grant policies
  • Application – Policy.ReadWrite.TrustFramework: read and write your organization's trust framework policies
  • Delegated – Policy.ReadWrite.TrustFramework: read and write your organization's trust framework policies
  • Application – RoleManagement.ReadWrite.Directory: read and write all directory RBAC settings
  • Delegated – RoleManagement.ReadWrite.Directory: read and write directory RBAC settings
  • Application – SharePointTenantSettings.ReadWrite.All: read and change SharePoint and OneDrive tenant settings
  • Delegated – SharePointTenantSettings.ReadWrite.All: read and change SharePoint and OneDrive tenant settings
  • Application – Sites.ReadWrite.All: read and write items in all site collections
  • Delegated – Sites.ReadWrite.All: edit or delete items in all site collections
  • Application – TeamworkDevice.ReadWrite.All: read and write Teams devices
  • Delegated – TeamworkDevice.ReadWrite.All: read and write Teams devices
  • Application – ThreatSubmissionPolicy.ReadWrite.All: read and write all of the organization's threat submission policies
  • Delegated – ThreatSubmissionPolicy.ReadWrite.All: read and write all threat submission policies
  • Application – User.ReadWrite.All: read and write all users' full profiles
  • Delegated – User.ReadWrite.All: read and write all users' full profiles

Office 365 Exchange Online:

  • Delegated – Exchange.Manage: manage Exchange configuration
  • Application – Exchange.ManageAsApp: manage Exchange as application

Office 365 Management APIs:

  • Application – ActivityFeed.Read: read activity data for your organization
  • Delegated – ActivityFeed.Read: read activity data for your organization
  • Application – ServiceHealth.Read: read service health information for your organization
  • Delegated – ServiceHealth.Read: read service health information for your organization

Power BI Service:

  • Application – Tenant.ReadWrite.All: read and write all content in tenant
  • Delegated – Tenant.ReadWrite.All: read and write all content in tenant

SharePoint:

  • Delegated – AllSites.FullControl: have full control of all site collections
  • Application – Sites.FullControl.All: have full control of all site collections
  • Application – TermStore.ReadWrite.All: read and write managed metadata
  • Delegated – TermStore.ReadWrite.All: read and write managed metadata

Skype and Teams Tenant Admin API:

  • Application – application_access: application_access
  • Delegated – user_impersonation: access Microsoft Teams and Skype for Business data as the signed in user

Windows Store for Business:

  • Application – bspadmin: administrator
  • Delegated – user_impersonation: access Windows Store for Business
 
 

Access

CoreView SSO

This app provides access for all operators via SSO. The app is added to Entra ID upon the first login following onboarding. Each operator, upon their first access to CoreView, will need to grant permissions.

Permissions list

The CoreView SSO asks for the following permissions:

  • Delegated - [Microsoft Graph] openid: sign users in 
  • Delegated - [Microsoft Graph] profile: view users' basic profile 
  • Delegated - [Microsoft Graph] User.Read: sign in and read user profile
  • Delegated - [Microsoft Graph] email: view users' email address 
 
 

Partner Portal Web

The Partner Portal Web is a user-facing application that allows operators to authenticate and register through a web interface, providing direct access to the partner portal's features.

Partner Portal API

This app serves as a backend service that enables secure authentication and registration for external systems, allowing them to programmatically connect and integrate with the Partner Portal.

A note about Partner Portal Web and Partner Portal API

These two applications are complementary, meaning that together they create a cohesive system:

  • The Partner Portal Web app offers user-facing functionality, allowing users to interact with the system directly.
  • The Partner Portal API provides programmatic functionality, enabling other systems to integrate and communicate.
  • Both apps trust each other, ensuring secure communication and maintaining consistency in user authentication and registration across different platforms.

Extra consents

For CoreView to work properly with applications like Endpoint, BitLocker, and SharePoint, it's crucial to grant the required permissions to the CoreView application on the Microsoft side.

These apps are optional, but they must be activated to use all functionalities. You can grant or revoke permissions for this app at any time directly from CoreView. To do this, refer to the Consent management article in the CoreView product manual.

CoreView Management Integration

If Endpoint manager permissions are not granted to the CoreView app on the Microsoft side, CoreView cannot perform actions using the Endpoint manager module. This set of permissions is required because Endpoint manager actions do not use PowerShell cmdlets; instead, they utilize Graph APIs, which require a different set of permissions.

Permissions list

CoreView Management Integration requires the following Entra ID application permissions:

  • Application - [Microsoft Graph] Device management managed devices privileged operations all: perform user-impacting remote actions on Microsoft Intune devices
  • Application - [Microsoft Graph] Device management managed devices read write all: read and write Microsoft Intune devices
  • Application - [Microsoft Graph] Device management service config read write all: read and write Microsoft Intune devices
 
 

CoreView SharePoint Integration

To enable SharePoint management actions through CoreView and activate the import process, it is essential to grant additional consent.

Permissions list

CoreView SharePoint Integration requires the following Entra ID application permissions:

  • Delegated - [Azure Active Directory Graph] User read: enable sign-on and read users' profiles
  • Application - [Microsoft Graph] Directory read all: read directory data
  • Application - [Microsoft Graph] Group read write all: read and write all groups
  • Application - [SharePoint] Sites full control all: have full control of all site collections
 
 

CoreView BitLocker API Integration

To ensure that data is displayed in the BitLocker keys report and to be able to view and manage BitLocker keys, it is essential to grant additional consent. This allows for the retrieval of data for the BitLocker keys report.

Permissions list

CoreView BitLocker API requires the following Entra ID application permissions:

  • Delegated - [Microsoft Graph] BitLockerKey read all: read BitLocker keys
  • Delegated - [Microsoft Graph] User read: sign in and read user profile
 
 

CoreView Teams API Integration

You need to provide additional consent to import Teams Voice data (calls, PSNT usage) into CoreView.

Permissions list

CoreView Teams API Integration requires the following Azure AD (now Entra ID) application permissions:

  • Application - [Microsoft Graph] Call records read all: read call records
  • Application - [Microsoft Graph] Read basic all: get a list of all teams
  • Application - [Microsoft Graph] Teams activity read all: read all users' teamwork activity feed
  • Application - [Microsoft Graph] Teams tab read all: read tabs in Microsoft Teams
 
 

CoreView Exchange Integration

Provide consent for the use of multiple Exchange applications to overcome Microsoft's Exchange Service throttling limit.

Permissions list

CoreView Exchange Integration requires the following Entra ID application permissions:

  • Delegated - [Office 365 Exchange Online Module] Access mailboxes as the signed-in user via Exchange Web Services: allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services.
  • Delegated - [Office 365 Exchange Online Module] Manage Exchange configuration: allows the app to manage the organization's Exchange environment, such as mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles to the app user.
  • Application - [Office 365 Exchange Online Module] Manage Exchange As Application: allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app.
 
 

Graph Management

This app is necessary for the proper functioning of:

that use the Graph PowerShell module or Graph API endpoints.

By using this app, you will authorize the use of the Microsoft Graph module.
This app is optional, but it is need to be activated to use the functionalities listed above.
You can grant and revoke permissions for this app at any time, directly from CoreView.

  • See the Graph management article for instructions on granting permissions and viewing permission lists.

Related Articles

DID THIS PAGE HELP YOU?