Summary: There are two types of permissions configured when you integrate the Huntress MDR for Microsoft 365 product into your tenant. These are the Azure Active Directory Roles applied to the service account and the API permissions requested and consented to the Enterprise Application registered within Azure Active Directory.
Azure Active Directory Roles
| ROLE | PURPOSE |
| Application administrator | Read and (future) remediate rogue Azure AD applications. |
| Authentication policy administrator | Read auth policy configs and (future) remediate or apply policies. |
| Cloud application administrator | (Future use.) Read and remediate rogue applications installed in Azure AD. |
| Conditional access administrator | Read and correct CA policy configuration that may prevent onboarding/continued use. (Future) Remediate rogue changes to CA policies such as an attacker excluding themselves or their country. |
| Exchange administrator | Read and remediate Exchange configuration changes such as Transport Rules and Spam policies. |
| Intune administrator | (Future) Enumerate device information and apply changes or remediation. |
| Privileged authentication administrator | Remediate and perform changes to Global Admin accounts when required. |
| Security administrator | Read security information and reports, (future) apply policies for posture management, remediate rogue configuration changes |
| Teams administrator | (Future use.) |
| User administrator | Read and remediate user entity actions such as revoking sign-ins and disabling accounts. |
Enterprise Application API Permissions
Graph API
| PERMISSSION REQUESTED | PURPOSE |
| Application.ReadWrite.All | Enumeration and remediation of Azure app registrations and enterprise applications. |
| AuditLog.Read.All | Log/event ingest. |
| Directory.AccessAsUser.All | Enumerate active directory entities. |
| Directory.ReadWrite.All | Enumerate user entities. Perform revoke sign-ins, and disable user remediation. |
| Domain.Read.All | Enumerate domains assigned to tenant. |
| MailboxSettings.ReadWrite | Enumerate mailbox settings, such as Inbox Rules and forwarding. Perform remediations. |
| Policy.Read.All | Enumerate organization policies. |
| Policy.ReadWrite.ConditionalAccess | Enumerate/modify/remediate conditional access policies and their settings. |
| Reports.Read.All | Read usage reports. Used for billing reconciliation and MFA status. |
| SecurityEvents.Read.All | Log/event ingest. |
| SecurityIncident.Read.All | Log/event ingest. |
| User.Read.All | Enumerate user entities. |
| UserAuthenticationMethod.ReadWrite.All | Enumerate and remediate authentication methods. Perform password resets. |
Partner Center API
| PERMISSSION REQUESTED | PURPOSE |
| user_impersonation | (CSP Only) Access downstream tenant information |
Exchange API
| PERMISSSION REQUESTED | PURPOSE |
| Exchange.,Manage(AsApp) | Perform Microsoft Exchange enumerations and remediations |
O365 Management API
| PERMISSSION REQUESTED | PURPOSE |
| ActivityFeed.Read | Log/event ingest. |
| ActivityFeed.ReadDlp | (Future use.) Log/event ingest. |
| ServiceHealth.Read | (Future use.) Ingest service health metrics. |
Comments
0 comments
Article is closed for comments.