Your Employees permissions
These are the access permissions needed by the Ironstone managed service, Your Employees, inside the customers tenant and why we need them.
The App Name is "Ironstone - IT for Your Employees"
- Without access to your data we won't be able to deploy our services.
- It is not possible to partially accept the permissions.
|
API / Permissions name |
Type |
Permission description |
Admin consent required |
Why do we need this permission? |
|---|---|---|---|---|
|
Directory.ReadWrite.All |
Application |
Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. |
Yes |
Per missions is used to make changes to objects in Microsoft Entra ID, |
|
Group.ReadWrite.All |
Application |
Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. |
Yes |
Used to create Microsoft Entra ID security groups for Conditional Access exceptions and groups for threat protection rule membership |
|
User.ReadWrite.All |
Application |
Allows the app to read and update user profiles without a signed in user. |
Yes |
Used to update groupmembership of objects in Microsoft Entra ID. |
|
Organization.Read.All |
Application |
Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information |
Yes |
Used to update organization settings. |
|
AppRoleAssignment.ReadWrite.All |
Application
|
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. |
Yes |
Used to assign Federated Workload Identity permissions to deploy, create and manage Microsoft Entra ID security groups to provide permissions within the Azure environment. |
|
Application.ReadWrite.All |
Application |
Allows the calling app to create, and manage (read, update, update application secrets and delete) applications and service principals without a signed-in user. Does not allow management of consent grants or application assignments to users or groups. |
Yes |
Used in order to create and modify the Enterprise Applications needed to manage and govern the Azure environment. |
|
RoleManagement.ReadWrite.Directory |
Application |
Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. |
Yes |
Used to set |
|
DeviceManagementApps.ReadWrite.All |
Application |
Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. |
Yes |
Used to create and update applications in Intune. |
|
DeviceManagementConfiguration.ReadWrite.All |
Application |
Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. |
Yes |
Used to create and update Intune device configuration. |
|
DeviceManagementServiceConfig.ReadWrite.All |
Application |
Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. |
Yes |
Used to manage Intune settings and device enrollment. |
|
DeviceManagementManagedDevices.ReadWrite.All |
Application |
Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device's owner |
Yes |
Used to manage devices in Intune. |
|
Policy.Read.All |
Application |
Allows the app to read all your organization's policies without a signed in user. |
Yes |
Used to read all policies. |
|
Policy.ReadWrite.ConditionalAccess |
Application |
Allows the app to read and write your organization's conditional access policies, without a signed-in user. |
Yes |
Used to create and update Conditional Access policies. |
|
Policy.ReadWrite.Authorization |
Application |
Allows the app to read and write your organization's authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. |
Yes |
Used to update the authorization policies. |
|
Policy.ReadWrite.CrossTenantAccess |
Application |
Allows the app to read and write your organization's cross tenant access policies without a signed-in user. |
Yes |
Used to set cross tenant access settings. |
| Policy.ReadWrite.AuthenticationMethod |
Application |
Allows the app to read and write all authentication method policies for the tenant, without a signed-in user. | Yes |
Used to update the allowed authentication methods. |
|
Exchange.ManageAsApp |
Application |
Allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app. |
Yes |
This is used to be able to reach Exchange remotely from the backend to our customers to:
To actually get these rights the application needs to be assigned to the Exchange Administrator Azure AD role which is only something that is done temporary when using the functionality. |
|
Exchange Administrator |
Built in role |
Users with this role have global permissions within Microsoft Exchange Online, when the service is present. Also has the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. For more information, see About admin roles in the Microsoft 365 admin center. |
Has to manually be added to the EnterpriseApplication |
Used to manage settings in Exchange online. |
|
Security Administrator |
Built in role |
This is a privileged role. Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Microsoft Entra ID Protection, Microsoft Entra Authentication, Azure Information Protection, and Microsoft Purview compliance portal. For more information about Office 365 permissions, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance. |
Has to manually be added to the EnterpriseApplication |
Used to create and update Advanced threat protection policies. |
|
Teams Administrator |
Built in role |
Users in this role can manage all aspects of the Microsoft Teams workload via the Microsoft Teams & Skype for Business admin center and the respective PowerShell modules. This includes, among other areas, all management tools related to telephony, messaging, meetings, and the teams themselves. This role additionally grants the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. |
Has to manually be added to the EnterpriseApplication |
Used to be able to configure Teams policies and settings. |