Permissions Reference
Every Microsoft Graph API permission Veri-Tech requests, explained in detail. This page is designed for security teams reviewing our access requirements. Click any section to expand it.
Our Commitment to Trust & Transparency
Your security is not just a feature — it is the foundation of everything we build.
Veri-Tech is built for security teams, by security professionals. We believe you have the right to know exactly what access you are granting, what data we touch, and how we protect it. Every permission on this page is documented because we want you to verify our practices, not just trust our word.
What we never access
- ✓Mailbox contents, emails, or calendar events
- ✓Files in OneDrive or SharePoint document libraries
- ✓Teams chat messages or meeting recordings
- ✓User passwords or authentication credentials
- ✓Personal identifiable information (PII) beyond directory display names used in policy assignment tables
How to audit our access
- ✓Review the Veri-Tech enterprise application in your Entra admin center under Enterprise Applications
- ✓Check the "Permissions" tab to see all currently consented Graph API scopes
- ✓Review Entra audit logs for sign-in activity from the Veri-Tech service principal
- ✓Use the "Activity" tab to see recent API calls made by the application
How to revoke access
- ✓From Veri-Tech: Go to Settings → Tenant Permissions → Revoke All Permissions
- ✓From Entra admin center: Enterprise Applications → Veri-Tech → Properties → Delete
- ✓Revocation is immediate — Veri-Tech will lose all access to your tenant
- ✓Re-consent is required to restore access after revocation
Our security practices
- ✓Certificate-based authentication only — no client secrets stored anywhere
- ✓All data paths are scoped by tenant ID — no cross-tenant access is possible
- ✓Worker containers are ephemeral and destroyed after each job
- ✓Break-glass accounts are excluded from all deployed Conditional Access policies
- ✓Conditional Access policies deploy in report-only mode — enforcement requires manual action
- ✓JIT write access uses delegated OAuth2 tokens — cleared after each remediation job, no persistent app role assignments
- ✓Azure infrastructure access uses managed identity with no stored credentials
Read PermissionsAll Plans14 read-only scopes granted during onboarding. These permissions never modify any settings, policies, or data in your tenant.
Device.Read.AllRead device objects and properties for compliance reporting.
Data accessed: Device registration records, OS version, compliance state, last sync timestamps.
Not accessed: Device user activity, installed applications, browsing history.
DeviceManagementApps.Read.AllRead app protection and app configuration policies to document and assess their settings.
Data accessed: App protection policy definitions, app configuration settings, managed app assignments.
Not accessed: Installed app inventory on user devices, app usage data.
DeviceManagementConfiguration.Read.AllRead Intune configuration profiles, Settings Catalog policies, compliance policies, and security baselines.
Data accessed: Device configuration profiles, compliance rules, security baseline assignments.
Not accessed: User-specific compliance state, personal device data.
DeviceManagementManagedDevices.Read.AllRead managed device properties and compliance state for inventory reporting.
Data accessed: Device hardware information, compliance status, enrollment timestamps.
Not accessed: Device location, user activity, personal files.
DeviceManagementRBAC.Read.AllRead Intune role-based access control assignments for security posture reporting.
Data accessed: RBAC role definitions and role assignments within Intune.
Not accessed: User permissions outside of Intune, Azure AD role assignments.
DeviceManagementScripts.Read.AllRead platform and remediation scripts configured in Intune for documentation.
Data accessed: Script names, descriptions, assignment targets. Script content for documentation purposes.
Not accessed: Script execution results on individual devices, user-specific output.
DeviceManagementServiceConfig.Read.AllRead Intune service configuration including enrollment settings and Autopilot profiles.
Data accessed: Enrollment restrictions, Autopilot deployment profiles, update ring configurations.
Not accessed: Device serial numbers, user enrollment history.
Directory.Read.AllRead directory objects, users, and service principals for identity reporting.
Data accessed: User display names, directory role assignments, service principal metadata.
Not accessed: User passwords, authentication credentials, personal contact information.
Group.Read.AllResolve group display names for policy assignment tables in SOPs and reports.
Data accessed: Group names, IDs, and membership types. Used only to label assignments.
Not accessed: Group membership lists, group email content, Teams conversations.
Organization.Read.AllRead organization and tenant configuration for compliance context.
Data accessed: Organization display name, verified domains, tenant ID, assigned licenses.
Not accessed: Billing details, subscription payment information.
Policy.Read.AllRead Conditional Access, authorization, authentication method, and cross-tenant access policies.
Data accessed: Policy configurations, rules, conditions, and grant controls.
Not accessed: User sign-in logs, authentication tokens, session data.
Reports.Read.AllRead usage and compliance reports for trend analysis.
Data accessed: Aggregated compliance and usage statistics.
Not accessed: Individual user activity reports, email contents.
IdentityRiskEvent.Read.AllRead Identity Protection risk detections to evaluate risk-based Conditional Access controls (CISA-MS.AAD.2.3).
Data accessed: Risk detection events and their classifications (sign-in risk, user risk levels).
Not accessed: Individual sign-in logs, authentication tokens, session contents.
SharePointTenantSettings.Read.AllRead SharePoint Online and OneDrive tenant-level settings to evaluate every SharePoint control (sharing capability, default link type, idle session sign-out, guest expiration, etc.). Without this, the entire SharePoint domain is silently skipped during assessment.
Data accessed: Tenant-level SharePoint configuration: sharing capability, default link type and permission, idle session sign-out, external user expiration, sharing domain restrictions, legacy auth flag.
Not accessed: Site contents, individual files, user permissions on specific sites, document libraries.
Write PermissionsEnterprise13 write scopes requested when you initiate automated remediation. These are handled separately from read permissions.
Safety Controls
- ✓ JIT (Just-In-Time): Write access uses a delegated token granted before remediation and cleared afterward — no persistent app role assignments
- ✓ Report-only first: Conditional Access policies deploy in report-only mode — never enforced automatically
- ✓ Break-glass required: Emergency access accounts must be configured before write access can be granted
- ✓ No deletions: Veri-Tech never deletes existing policies — it only creates new ones or updates specific settings
Policy.ReadWrite.ConditionalAccessCreate and update Conditional Access policies to close compliance gaps. All new policies are deployed in report-only mode — they do not enforce restrictions until an administrator manually enables them.
Data accessed: Conditional Access policy definitions only.
Not accessed: User sign-in data, authentication tokens, session information.
Policy.ReadWrite.AuthorizationUpdate tenant-wide authorization policy settings, such as guest invitation restrictions and default user permissions.
Data accessed: Authorization policy configuration.
Policy.ReadWrite.AuthenticationMethodConfigure authentication method settings, such as enabling FIDO2 security keys or disabling SMS-based authentication.
Data accessed: Authentication method policy definitions.
Not accessed: User MFA registrations, authentication tokens.
Policy.ReadWrite.CrossTenantAccessUpdate cross-tenant access and collaboration trust settings to enforce external sharing policies.
Data accessed: Cross-tenant access policy configurations.
Not accessed: External user data, guest user activity.
Policy.ReadWrite.ConsentRequestUpdate admin consent request policy to control how users request access to applications.
Data accessed: Consent request workflow settings.
Not accessed: Individual user consent requests, application usage data.
Policy.ReadWrite.ApplicationConfigurationCreate token lifetime policies (controlling access token validity periods) and activity-based timeout policies (enforcing idle session sign-out).
Data accessed: Token lifetime and session timeout policy definitions.
Not accessed: User sessions, authentication tokens, sign-in activity.
DeviceManagementConfiguration.ReadWrite.AllCreate and update Intune configuration profiles and compliance policies to enforce security baselines.
Data accessed: Device configuration profiles, compliance policy definitions.
Not accessed: Individual device data, user-specific compliance status.
DeviceManagementApps.ReadWrite.AllCreate and update app protection policies for iOS, Android, and Windows to enforce data loss prevention controls.
Data accessed: App protection policy definitions and assignments.
Not accessed: Installed applications on devices, app usage data.
DeviceManagementServiceConfig.ReadWrite.AllUpdate enrollment configurations and update ring profiles for managed devices.
Data accessed: Enrollment restriction settings, Windows Update for Business configurations.
Not accessed: Individual device enrollment history, user device inventory.
DeviceManagementManagedDevices.ReadWrite.AllUpdate managed device compliance state and configuration settings.
Data accessed: Device compliance state fields and management actions.
Not accessed: Device location, user files, personal data.
SharePointTenantSettings.ReadWrite.AllUpdate SharePoint Online tenant-level settings to enforce sharing and access controls.
Data accessed: SharePoint tenant configuration (sharing policies, access controls).
Not accessed: SharePoint site contents, document libraries, user files.
Directory.ReadWrite.AllCreate and update directory group settings required by certain compliance controls.
Data accessed: Group settings objects (e.g., guest access defaults, classification labels).
Not accessed: User accounts, passwords, group membership lists.
User.ReadWrite.AllUpdate user authentication method registration settings as required by certain identity controls.
Data accessed: User authentication method configuration.
Not accessed: User passwords, personal information, mailbox contents.
Workload PermissionsEnterpriseTo extend compliance assessment coverage to Exchange Online, Defender for Office 365, and Microsoft Teams, your administrator grants the Global Reader directory role to the Veri-Tech service principal.
Global ReaderProvides read-only access to Exchange Online and Teams administrative configuration. Required for PowerShell-based checks that the Graph API does not support.
Data accessed: Administrative settings and configuration for Exchange Online, Defender for Office 365, and Microsoft Teams.
Not accessed: User mailbox contents, emails, calendar data, Teams chat messages, file contents, or any user-generated content.
Exchange.ManageAsAppEnables the Veri-Tech service principal to authenticate to Exchange Online PowerShell for read-only configuration checks. This role is inert without the Global Reader directory role.
Data accessed: Exchange Online transport rules, anti-spam policies, anti-malware policies, preset security policies.
Not accessed: Mailbox contents, email messages, contact lists, calendar events.
Delegated OAuth ScopesWrite operations run as the signed-in administrator (delegated auth), not as the application. When you grant write access, you authorize Veri-Tech to perform changes on your behalf. Tokens are stored securely and scoped — Guard and Tune use separate consents with different scope sets.
Write scopes (delegated) — Veri-Guard remediationWhen you grant write access for automated remediation, you authorize Veri-Tech to act on your behalf using your administrator credentials. The delegated token is stored securely and used only for the duration of the remediation job. The same write scopes listed above (Policy.ReadWrite.*, DeviceManagement*.ReadWrite.All, etc.) are requested as delegated permissions — meaning operations are performed as you, not as the application.
Data accessed: Same as the write permissions above — policy definitions, configuration settings.
Not accessed: No additional data access beyond the write permissions listed.
Write scopes (delegated) — Veri-Tune remediationVeri-Tune uses a separate delegated consent for Intune-specific write operations: DeviceManagementConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, and DeviceManagementApps.ReadWrite.All. This scoped consent means Veri-Tune cannot touch M365 policies (Conditional Access, etc.) — only Intune device management.
Data accessed: Intune configuration profiles, service configuration, app protection policies.
Not accessed: Identity policies, Exchange settings, SharePoint configuration.
RoleManagement.ReadWrite.Directory (delegated)Requested during the workload consent flow to assign or revoke the Global Reader directory role on the Veri-Tech service principal.
Data accessed: Directory role assignments for the Veri-Tech service principal only.
Application.Read.All (delegated)Requested during workload enablement to look up the Exchange Online service principal in your tenant. Required to assign the Exchange.ManageAsApp role.
Data accessed: Service principal metadata (application IDs) — read-only, no modifications.
Questions about our permissions or security practices? Contact us · Manage your permissions