Permissions Reference
This page lists the required permissions that SailPoint Entro uses for continuous Secrets Scanning, AI Agents Governance and Non-Human Identity (NHI) monitoring across Microsoft Entra, Azure, 365 environments. All permissions are read-only and adhere to least-privilege principles.
Microsoft Graph API
The following Microsoft Graph permissions allow SailPoint Entro to enumerate identities, applications, and configuration metadata:
| Permission | Purpose |
|---|---|
| Directory.Read.All | Enumerate Entra ID directory structure and metadata |
| Application.Read.All | Retrieve application and service principal metadata |
| User.Read.All | Discover user objects for identity correlation |
NHI, AI Usage (optional)
The following optional permissions improve visibility and correlation between secrets and related identity activity (NHI or AI):
| Permission | Purpose |
|---|---|
| AuditLog.Read.All | Access Azure AD audit logs for activity tracking |
| SignInLogs.Read.All | Retrieve sign-in activity for identity correlation |
365 Apps Secrets Scanning (optional)
Microsoft Teams (Chats, Channels), Sharepoint / OneDrive (Pages, Documents, Sites)
Microsoft Teams
| Permission | Purpose |
|---|---|
| TeamsActivity.Read.All | Read Teams activity metadata for discovery and correlation |
| TeamSettings.Read.All | Read team settings and configuration metadata |
| TeamsTab.Read.All | Read installed Teams tabs and related configuration |
| TeamsAppInstallation.ReadForChat.All | Read app installations in chats |
| TeamsAppInstallation.ReadForTeam.All | Read app installations in teams |
| TeamsAppInstallation.ReadForUser.All | Read app installations for users |
| Channel.ReadBasic.All | Enumerate channels and basic channel metadata |
| ChannelMember.Read.All | Read channel membership for access correlation |
| ChannelMessage.Read.All | Read channel messages for secrets scanning |
| ChannelSettings.Read.All | Read channel settings and moderation configuration |
| Chat.Read.All | Read chat messages and metadata for secrets scanning |
| AuditLog.Read.All | Prioritization for secrets scanning by individuals (MS Teams), by recent activity timestamp. |
Graph permissions for sending risks in Teams messages natively from SailPoint Entro
These permissions are required only when you enable native Teams risk messaging from SailPoint Entro.
| Permission | Purpose |
|---|---|
| TeamsAppInstallation.ReadWriteForTeam.All | Install and manage the SailPoint Entro Teams app in teams for native risk delivery |
| TeamsAppInstallation.ReadWriteForUser.All | Install and manage the SailPoint Entro Teams app for users receiving risk messages |
| TeamsAppInstallation.ReadWriteSelfForUser.All | Allow the SailPoint Entro Teams app to manage its own user-level installation state |
Sharepoint / OneDrive
| Permission | Purpose |
|---|---|
| Sites.Read.All | Read SharePoint site collections and site metadata |
| Files.Read.All | Read file metadata and document structure across SharePoint and OneDrive |
Additional Graph permissions for AI discovery
The following permissions are required only when you enable AI discovery flows for Microsoft Copilot or Microsoft Defender.
Microsoft Copilot - Discover and analyze Copilot Endpoint and Chat Agents
| Permission | Purpose |
|---|---|
| AiEnterpriseInteraction.Read.All | Read Microsoft Copilot enterprise AI interaction metadata |
| Reports.Read.All | Access usage and activity reports for discovery and analysis |
| ExternalConnection.Read.All | Read external connection metadata used by Copilot |
| AppCatalog.Read.All | Enumerate app catalog entries and related app metadata |
Microsoft Defender - Endpoint Agentic AI discovery
| Permission | Purpose |
|---|---|
| Machine.Read.All | Read device inventory and related machine metadata - WindowsDefenderATP API |
| ThreatHunting.Read.All | Query advanced hunting data for AI agent discovery visibility |
Note
Most Graph permissions requested are read-only. The native Teams risk messaging permissions above require limited write access to install and manage the SailPoint Entro Teams app.
Azure Resource Access
SailPoint Entro Application requires these read-access assigned roles scopes to access subscription / management group metadata from Azure.
| Role | Description |
|---|---|
| Reader | Grants read-only access to resource metadata and configurations |
| Key Vault Reader | Allows enumeration of Key Vaults and secret metadata |
Key Vault Access Policy
When Key Vault Access Policy mode (non-RBAC) is enabled, SailPoint Entro's service principal app must have the following permissions to manage its secrets. Get permission is optional for Vault <-> NHI Token / Exposed Secret correlation.
| Object | Required Permissions |
|---|---|
| Keys | Get, List |
| Secrets | Get, List |
Note
With List permission only, SailPoint Entro reads only metadata such as key names, versions, and expiration dates. Secret values are never retrieved or transmitted.