Configure Azure for Microsoft 365 and ScubaGear Audits
Additional permissions are required to perform a scan using either the ScubaGear audits or the CIS Microsoft 365 audits; both rely on the same APIs. Certificate-based authentication is required for these APIs.
Before you begin:
- Complete the Certificate Authentication Method.
-
Click your registered application in Microsoft Entra ID > App Registrations > Your Application > API Permissions.
-
Select Microsoft Graph.
When adding permissions for Certificate Authentication, select Application permissions.
-
In the Configured permissions section, click Add a permission.
-
Add the following permissions:
-
Microsoft Graph
-
Directory.Read.All
-
GroupMember.Read.All
-
Organization.Read.All,
-
Policy.Read.All,
-
RoleManagement.Read.Directory,
-
User.Read.All
-
PrivilegedEligibilitySchedule.Read.AzureADGroup
-
PrivilegedAccess.Read.AzureADGroup
-
RoleManagementPolicy.Read.AzureADGroup
-
AuditLog.Read.All
-
Calendars.Read
-
DeviceManagementApps.Read.All
-
DeviceManagementConfiguration.Read.All
-
Directory.Read.All
-
GroupMember.Read.All
-
Organization.Read.All
-
OrgSettings-AppsAndServices.Read.All
-
OrgSettings-Forms.Read.All
-
Policy.Read.All
-
PrivilegedAccess.Read.AzureADGroup
-
PrivilegedEligibilitySchedule.Read.AzureADGroup
-
Reports.Read.All
-
RoleManagement.ReadWrite.Exchange
-
RoleManagementPolicy.Read.AzureADGroup
-
SecurityActions.Read.All
-
SecurityAlert.Read.All
-
SecurityEvents.Read.All
-
SharePointTenantSettings.Read.All
-
Sites.Read.All
-
User.Read
-
-
Microsoft Teams Services
-
AdminAppCatalog.Read.All
-
-
Office 365 Exchange Online
-
Exchange.ManageAsApp
-
-
SharePoint
-
Sites.FullControl.All
-
-
-
In the Manage section of Microsoft Entra ID, click Roles and administrator.
-
Click the Global Reader role.
Note: This role configuration process must be repeated for the Exchange Administrator role.
- Click Add assignments.
- Select the application you created, and click Add.
- Repeat the configuration steps for the Exchange Administrator role.
-
As an account with Power Platform Administrator, or Global Administrator roles, register the service principal:
Add-PowerAppsAccount -Endpoint prod -TenantID <tenant id>
