Skip to content

Permissions Reference

This page lists the required permissions that SailPoint Entro uses for continuous Secrets Scanning, AI Agents Governance and Non-Human Identity (NHI) monitoring across Microsoft Entra, Azure, 365 environments. All permissions are read-only and adhere to least-privilege principles.

Microsoft Graph API

The following Microsoft Graph permissions allow SailPoint Entro to enumerate identities, applications, and configuration metadata:

Permission Purpose
Directory.Read.All Enumerate Entra ID directory structure and metadata
Application.Read.All Retrieve application and service principal metadata
User.Read.All Discover user objects for identity correlation

NHI, AI Usage (optional)

The following optional permissions improve visibility and correlation between secrets and related identity activity (NHI or AI):

Permission Purpose
AuditLog.Read.All Access Azure AD audit logs for activity tracking
SignInLogs.Read.All Retrieve sign-in activity for identity correlation

365 Apps Secrets Scanning (optional)

Microsoft Teams (Chats, Channels), Sharepoint / OneDrive (Pages, Documents, Sites)

Microsoft Teams

Permission Purpose
TeamsActivity.Read.All Read Teams activity metadata for discovery and correlation
TeamSettings.Read.All Read team settings and configuration metadata
TeamsTab.Read.All Read installed Teams tabs and related configuration
TeamsAppInstallation.ReadForChat.All Read app installations in chats
TeamsAppInstallation.ReadForTeam.All Read app installations in teams
TeamsAppInstallation.ReadForUser.All Read app installations for users
Channel.ReadBasic.All Enumerate channels and basic channel metadata
ChannelMember.Read.All Read channel membership for access correlation
ChannelMessage.Read.All Read channel messages for secrets scanning
ChannelSettings.Read.All Read channel settings and moderation configuration
Chat.Read.All Read chat messages and metadata for secrets scanning
AuditLog.Read.All Prioritization for secrets scanning by individuals (MS Teams), by recent activity timestamp.

Graph permissions for sending risks in Teams messages natively from SailPoint Entro

These permissions are required only when you enable native Teams risk messaging from SailPoint Entro.

Permission Purpose
TeamsAppInstallation.ReadWriteForTeam.All Install and manage the SailPoint Entro Teams app in teams for native risk delivery
TeamsAppInstallation.ReadWriteForUser.All Install and manage the SailPoint Entro Teams app for users receiving risk messages
TeamsAppInstallation.ReadWriteSelfForUser.All Allow the SailPoint Entro Teams app to manage its own user-level installation state

Sharepoint / OneDrive

Permission Purpose
Sites.Read.All Read SharePoint site collections and site metadata
Files.Read.All Read file metadata and document structure across SharePoint and OneDrive

Additional Graph permissions for AI discovery

The following permissions are required only when you enable AI discovery flows for Microsoft Copilot or Microsoft Defender.

Microsoft Copilot - Discover and analyze Copilot Endpoint and Chat Agents

Permission Purpose
AiEnterpriseInteraction.Read.All Read Microsoft Copilot enterprise AI interaction metadata
Reports.Read.All Access usage and activity reports for discovery and analysis
ExternalConnection.Read.All Read external connection metadata used by Copilot
AppCatalog.Read.All Enumerate app catalog entries and related app metadata

Microsoft Defender - Endpoint Agentic AI discovery

Permission Purpose
Machine.Read.All Read device inventory and related machine metadata - WindowsDefenderATP API
ThreatHunting.Read.All Query advanced hunting data for AI agent discovery visibility

Note

Most Graph permissions requested are read-only. The native Teams risk messaging permissions above require limited write access to install and manage the SailPoint Entro Teams app.

Azure Resource Access

SailPoint Entro Application requires these read-access assigned roles scopes to access subscription / management group metadata from Azure.

Role Description
Reader Grants read-only access to resource metadata and configurations
Key Vault Reader Allows enumeration of Key Vaults and secret metadata

Key Vault Access Policy

When Key Vault Access Policy mode (non-RBAC) is enabled, SailPoint Entro's service principal app must have the following permissions to manage its secrets. Get permission is optional for Vault <-> NHI Token / Exposed Secret correlation.

Object Required Permissions
Keys Get, List
Secrets Get, List

Note

With List permission only, SailPoint Entro reads only metadata such as key names, versions, and expiration dates. Secret values are never retrieved or transmitted.