Microsoft Cloud permissions
This documentation outlines the permissions available for integrations included in the Microsoft Cloud Integration Bundle, detailing the actions, methods, URLs, and trigger types associated with each permission.
Microsoft CSP Permissions
User Impersonation
This permission is necessary to pull the list of customers from your CSP tenant and map them to managed Rewst organizations.
Actions:
microsoft_csp.check_if_organization_has_consent
microsoft_csp.list_customers
microsoft_csp.list_customer_subscriptions
microsoft_csp.update_customer_subscription_quantity
Microsoft Exchange Online Permissions
Exchange.Manage
Actions:
microsoft_exo.invoke_command
Exchange.ManageAsApp
Actions:
microsoft_exo.invoke_command
full_access_as_app
Actions:
microsoft_exo.invoke_command
Microsoft Azure Permissions
Key Vault User Impersonation
Actions:
microsoft_azure.list_keys_in_vault
microsoft_azure.create_key_in_vault
microsoft_azure.delete_key_in_vault
Service Management User Impersonation
Actions:
microsoft_azure.generic_request
microsoft_azure.Virtual Machines - InstanceView
microsoft_azure.Virtual Machines - List
microsoft_azure.Virtual Machines - Get
microsoft_azure.Virtual Machines - ListAvailableSizes
microsoft_azure.Virtual Machines - Delete
microsoft_azure.Virtual Machines - ListByLocation
microsoft_azure.Virtual Machines - ListAll
microsoft_azure.create_blob_storage_container
microsoft_azure.create_key_vault
microsoft_azure.get_storage_account
microsoft_azure.create_storage_account
microsoft_azure.create_vm
microsoft_azure.create_virtual_network
microsoft_azure.list_virtual_networks
microsoft_azure.list_blob_storage_containers
microsoft_azure.list_virtual_machines
microsoft_azure.delete_blob_storage_container
microsoft_azure.get_key_vault
microsoft_azure.get_virtual_machine
microsoft_azure.get_virtual_network
microsoft_azure.get_blob_storage_container
microsoft_azure.delete_storage_account
microsoft_azure.delete_key_vault
microsoft_azure.delete_virtual_machine
microsoft_azure.delete_virtual_network
microsoft_azure.list_storage_accounts
microsoft_azure.list_key_vaults
microsoft_azure.list_subscriptions
microsoft_azure.list_resource_groups
Storage User Impersonation
Actions:
microsoft_azure.generic_request
Methods:
GET
POST
PUT
PATCH
DELETE
URLs:
https://{storageAccountName}.blob.core.windows.net/{containerName}
https://{storageAccountName}.table.core.windows.net/{tableName}
Microsoft Graph Permissions
AccessReview.Read.All
Actions:
microsoft_graph.graph_api_request
Methods:
GET
URLs:
/identityGovernance/accessReviews/definitions
/identityGovernance/accessReviews/definitions/{definitionId}
/identityGovernance/accessReviews/definitions/{definitionId}/instances
/identityGovernance/accessReviews/definitions/{definitionId}/instances/{instanceId}
/identityGovernance/accessReviews/definitions/{definitionId}/instances/{instanceId}/decisions
/identityGovernance/accessReviews/definitions/{definitionId}/instances/{instanceId}/decisions/{decisionId}
/identityGovernance/accessReviews/definitions/{definitionId}/instances/{instanceId}/contacts
/identityGovernance/accessReviews/settings
AccessReview.ReadWrite.All
Actions:
microsoft_graph.graph_api_request
Methods:
GET
POST
PATCH
DELETE
URLs:
/identityGovernance/accessReviews/definitions
/identityGovernance/accessReviews/definitions/{definitionId}
/identityGovernance/accessReviews/definitions/{definitionId}/instances
/identityGovernance/accessReviews/definitions/{definitionId}/instances/{instanceId}
/identityGovernance/accessReviews/definitions/{definitionId}/instances/{instanceId}/decisions
/identityGovernance/accessReviews/definitions/{definitionId}/instances/{instanceId}/decisions/{decisionId}
/identityGovernance/accessReviews/definitions/{definitionId}/instances/{instanceId}/contacts
/identityGovernance/accessReviews/settings
ActivityFeed.Read
Actions:
microsoft_graph.graph_api_request
Trigger Types:
microsoft_graph.Management Activity
ActivityFeed.ReadDlp
Actions:
microsoft_graph.graph_api_request
Trigger Types:
microsoft_graph.Management Activity
AppCatalog.Read.All
Actions:
microsoft_graph.graph_api_request
Methods:
GET
URLs:
/appCatalogs/teamsApps
AppCatalog.ReadWrite.All
Actions:
microsoft_graph.graph_api_request
Methods:
GET
POST
DELETE
URLs:
/appCatalogs/teamsApps
/appCatalogs/teamsApps/{id}
/appCatalogs/teamsApps/{id}/appDefinitions
AppCatalog.Submit
Actions:
microsoft_graph.graph_api_request
Methods:
GET
POST
DELETE
URLs:
/appCatalogs/teamsApps
/appCatalogs/teamsApps/{id}
/appCatalogs/teamsApps/{id}/appDefinitions
AppRoleAssignment.ReadWrite.All
This is a core permission utilized with the Rewst Microsoft Cloud Connector and is necessary for dynamic permissions. It is not necessary when using an Owned App Registration.
Application.ReadWrite.All
This is a core permission utilized with the Rewst Microsoft Cloud Connector and is necessary for dynamic permissions. It is not necessary when using an Owned App Registration.
AuditLog.Read.All
Actions:
microsoft_graph.graph_api_request
Methods:
GET
URLs:
/activity/feed/subscriptions/content
/auditLogs/directoryAudits
/auditLogs/directoryAudits/{id}
/auditLogs/provisioning
/auditLogs/signIns
/auditLogs/signIns/{id}
/reports/authenticationMethods/userRegistrationDetails
/reports/authenticationMethods/userRegistrationDetails/{userId}
Trigger Types:
microsoft_graph.New Access from Anonymous Link
microsoft_graph.New Directory Audit Log
microsoft_graph.New Signin
microsoft_graph.Suspicious Login Distance
AuditLogsQuery.Read.All
Actions:
microsoft_graph.graph_api_request
Methods:
GET
URLs:
/auditLogs/directoryAudits
/auditLogs/investigationResults
/auditLogs/legacyAudits
/auditLogs/riskyUsers
/auditLogs/signIns
/auditLogs/userAccountActivity
BitlockerKey.Read.All
Actions:
microsoft_graph.graph_api_request
Methods:
GET
URLs:
/deviceManagement/managedDevices/{id}/bitlockerKeys