Read-only access only. We use 55 Microsoft Graph API permissions,
all with
.Read scope — no write access, no changes to your environment.
We look, we don't touch.
View all 55 Graph API permissions (read-only)
Identity & Directory (18)
Directory.Read.All
User.Read.All
Group.Read.All
RoleManagement.Read.All
Organization.Read.All
Policy.Read.All
IdentityRiskEvent.Read.All
IdentityRiskyUser.Read.All
Application.Read.All
PrivilegedAccess.Read.AzureAD
UserAuthenticationMethod.Read.All
Domain.Read.All
RoleEligibilitySchedule.Read.Directory
RoleAssignmentSchedule.Read.Directory
OnPremDirectorySynchronization.Read.All
CustomSecAttributeDefinition.Read.All
CrossTenantInformation.ReadBasic.All
AccessReview.Read.All
Conditional Access (2)
Policy.Read.ConditionalAccess
AuthenticationContext.Read.All
Security & Compliance (12)
SecurityEvents.Read.All
SecurityActions.Read.All
ThreatIndicators.Read.All
SecurityIncident.Read.All
SecurityAlert.Read.All
InformationProtectionPolicy.Read.All
ThreatSubmission.Read.All
AttackSimulation.Read.All
eDiscovery.Read.All
RecordsManagement.Read.All
InformationProtectionContent.Read.All
SubjectRightsRequest.Read.All
Device Management (5)
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.Read.All
DeviceManagementApps.Read.All
DeviceManagementServiceConfig.Read.All
DeviceManagementRBAC.Read.All
SharePoint (1)
Sites.Read.All
Exchange & Mail (3)
Mail.Read
MailboxSettings.Read
Mail.ReadBasic.All
Microsoft Teams (5)
Team.ReadBasic.All
TeamMember.Read.All
AppCatalog.Read.All
Channel.ReadBasic.All
TeamworkTag.Read.All
Microsoft Defender (4)
ThreatHunting.Read.All
SecurityAnalyzedMessage.Read.All
ThreatAssessment.Read.All
ThreatIntelligence.Read.All
Reports & Audit (4)
Reports.Read.All
ReportSettings.Read.All
AuditLog.Read.All
DirectoryRecommendations.Read.All