Configure Azure for Microsoft 365 and ScubaGear Audits

Additional permissions are required to perform a scan using either the ScubaGear audits or the CIS Microsoft 365 audits; both rely on the same APIs. Certificate-based authentication is required for these APIs.

Before you begin:

  1. Click your registered application in Microsoft Entra ID > App Registrations > Your Application > API Permissions.

  2. Select Microsoft Graph.

    When adding permissions for Certificate Authentication, select Application permissions.

  3. In the Configured permissions section, click Add a permission.

  4. Add the following permissions:

    • Microsoft Graph

      • Directory.Read.All

      • GroupMember.Read.All

      • Organization.Read.All,

      • Policy.Read.All,

      • RoleManagement.Read.Directory,

      • User.Read.All

      • PrivilegedEligibilitySchedule.Read.AzureADGroup

      • PrivilegedAccess.Read.AzureADGroup

      • RoleManagementPolicy.Read.AzureADGroup

      • AuditLog.Read.All

      • Calendars.Read

      • DeviceManagementApps.Read.All

      • DeviceManagementConfiguration.Read.All

      • Directory.Read.All

      • GroupMember.Read.All

      • Organization.Read.All

      • OrgSettings-AppsAndServices.Read.All

      • OrgSettings-Forms.Read.All

      • Policy.Read.All

      • PrivilegedAccess.Read.AzureADGroup

      • PrivilegedEligibilitySchedule.Read.AzureADGroup

      • Reports.Read.All

      • RoleManagement.ReadWrite.Exchange

      • RoleManagementPolicy.Read.AzureADGroup

      • SecurityActions.Read.All

      • SecurityAlert.Read.All

      • SecurityEvents.Read.All

      • SharePointTenantSettings.Read.All

      • Sites.Read.All

      • User.Read

    • Microsoft Teams Services

      • AdminAppCatalog.Read.All

    • Office 365 Exchange Online

      • Exchange.ManageAsApp

    • SharePoint

      • Sites.FullControl.All

  1. In the Manage section of Microsoft Entra ID, click Roles and administrator.

  2. Click the Global Reader role.

    Note: This role configuration process must be repeated for the Exchange Administrator role.

  3. Click Add assignments.
  4. Select the application you created, and click Add.
  5. Repeat the configuration steps for the Exchange Administrator role.

  • As an account with Power Platform Administrator, or Global Administrator roles, register the service principal:

    Add-PowerAppsAccount -Endpoint prod -TenantID <tenant id>