Portal Permissions
These are the access permissions needed by the Ironstone Portal application inside the customers tenant and why we need them.
- We enrich and present your own data for you in the portal. Without access to your data we won't be able to present anything.
- It is not possible to partially accept the permissions.
API / Permissions name |
Type |
Permission description |
Admin consent required |
Why do we need this permission? |
---|---|---|---|---|
ChannelMember.ReadWrite.All |
Application |
Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner. |
Yes |
Collaboration functionality:
Non-interactive accessibility through Application type is needed as the functionality is used on the backend.
|
Group.ReadWrite.All |
Application |
Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. |
Yes |
Collaboration functionality:
Non-interactive accessibility through Application type is needed as the functionality is used on the backend.
|
Notes.ReadWrite.All |
Application |
Allows the app to read, share, and modify all the OneNote notebooks in your organization, without a signed-in user. |
Yes |
Collaboration functionality:
Non-interactive accessibility through Application type is needed as the functionality is used on the backend.
|
User.ReadWrite.All |
Application |
Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords. |
Yes |
Portal functionality:
|
DeviceManagementManagedDevices.Read.All |
Application |
Allows the app to read the properties of devices managed by Microsoft Intune. |
Yes |
Portal functionality:
|
SecurityEvents.Read.All |
Application |
Allows the app to read your organization’s security events. |
Yes |
Portal functionality:
|
DeviceManagementServiceConfig.Read.All |
Application |
Allows the app to read Intune service properties including device enrollment and third party service connection configuration. |
Yes |
Portal functionality:
|
Directory.Read.All |
Application |
Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. |
Yes |
Portal functionality:
|
DeviceManagementConfiguration.Read.All |
Application |
Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. |
Yes |
Portal functionality:
|
IdentityRiskyUser.Read.All |
Application |
Allows the app to read identity user risk information for all users in your organization without a signed-in user. |
Yes |
Portal functionality:
|
IdentityRiskEvent.Read.All |
Application |
Allows the app to read identity risk event information for all users in your organization without a signed-in user. |
Yes |
Portal functionality:
|
AuditLog.Read.All |
Application |
Allows the app to read and query your audit log activities, without a signed-in user. |
Yes |
Portal functionality:
|
DeviceManagementApps.Read.All |
Application |
Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. |
Yes |
Portal functionality:
|
Reports.Read.All |
Application |
Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory. |
Yes |
Portal functionality:
|
Directory.ReadWrite.All |
Application |
Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. |
Yes |
Collaboration functionality:
We have filed a request to Microsoft on moving these actions to a lower set of permissions since taking Directory.ReadWrite.All is a higher permission than this should require. |
Application.ReadWrite.All |
Application |
Allows the calling app to create, and manage (read, update, update application secrets and delete) applications and service principals without a signed-in user. Does not allow management of consent grants or application assignments to users or groups. |
Yes |
Used in order to modify the Enterprise Application for the backend application used by our Managed Services.
|
DeviceManagementManagedDevices.ReadWrite.All |
Application |
Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner. |
Yes |
Used for changing devices that are managed by Intune from our backend. Using this we are able to modify which baselines are used by what devices. |
Exchange.ManageAsApp |
Application |
Allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app. |
Yes |
This is used to be able to reach Exchange remotely from the backend to our customers to:
To actually get these rights the application needs to be assigned to the Exchange Administrator Azure AD role which is only something that is done temporary when using the functionality. |
Sites.FullControl.All |
Application |
Allows the app to have full control to SharePoint sites in all site collections without a signed-in user. |
Yes |
Request/Approve Project:
|
User.ReadWrite.All |
Application |
Allows the app to read and update user profiles and to read basic site info without a signed in user. |
Yes |
Request/Approve Project:
|
Policy.Read.All |
Application |
Allows the app to read all your organization's policies without a signed in user. |
Yes |
Identity Security Report:
|
RoleManagement.ReadWrite.Directory |
Application |
Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. |
Yes |
Identity Security Report:
|
Requests used by the Portal application
More in-depth about requests and their documentation. This is not the full list, only what is interesting in regards to the above table.
Request type |
Request |
Graph API documentation |
Lowest application permission needed |
---|---|---|---|
GET |
/v1.0/users/${userID}/ownedDevices |
User.Read.All |
|
GET |
/v1.0/groups |
GroupMember.Read.All |
|
GET |
/v1.0/groups/${groupId}/members |
GroupMember.Read.All |
|
PATCH |
/v1.0/groups/${groupID} |
Group.ReadWrite.All |
|
DELETE |
/v1.0/groups/${groupID}/members/${memberID}/$ref |
GroupMember.ReadWrite.All |
|
GET |
/v1.0/groupLifecyclePolicies |
Directory.Read.All |
|
PATCH |
/v1.0/groupLifecyclePolicies/${id} |
Directory.ReadWrite.All |
|
POST |
/v1.0/groupLifecyclePolicies |
Directory.ReadWrite.All |
|
POST |
/v1.0/users/${userID}/reprocessLicenseAssignment |
User.ReadWrite.All |
|
GET |
/v1.0/organization |
Organization.Read.All |
|
GET |
/v1.0/subscribedskus |
Organization.Read.All |
|
GET |
/v1.0/users?$top=999&${USERS_SELECT} |
User.Read.All |
|
POST |
/v1.0/users |
User.ReadWrite.All |
|
PATCH |
/v1.0/users/${userID} |
User.ReadWrite.All |
|
GET |
/v1.0/applications |
Application.Read.All |
|
GET |
/v1.0/servicePrincipals |
Application.Read.All |
|
GET |
/v1.0/identity/conditionalAccess/policies |
Policy.Read.All |
|
GET |
/v1.0/policies/authorizationPolicy |
Policy.Read.All |
|
GET |
/v1.0/roleManagement/directory/roleAssignmentScheduleRequests |
RoleManagement.ReadWrite.Directory |
Azure platform access
Some functionality needs access to your Azure environment to for example help you with monitoring your cost.
Access level |
Scope |
Justification |
---|---|---|
Reader |
Management root |
We need this access to be able to see costs connected to all subscriptions, resource groups, and resources. Using this data we create reports on cost which is presented in the Ironstone Portal. |