Required Permissions

MS Graph permissions 

• Application.Read.All 
• AuditLog.Read.All 
• DeviceManagementManagedDevices.Read.All 
• Directory.Read.All 
• Reports.Read.All 
• User.Read.All 

M365 usage report minimum Graph permissions 

• LicenseAssignment.Read.All 
• Reports.Read.All 

Azure permissions 

• Microsoft.Advisor/*/read 
• Microsoft.Advisor/generateRecommendations/action 
• Microsoft.Billing/*/read 
• Microsoft.Capacity/*/read 
• Microsoft.Commerce/*/read 
• Microsoft.Compute/*/read 
• Microsoft.Consumption/*/read 
• Microsoft.ContainerService/*/read 
• Microsoft.CostManagement/*/read 
• Microsoft.Resources/*/read 

Microsoft Graph Permissions 

What can we read out from your M365 tenant through these permissions? 

• Application.Read.All: Read all application registrations and service principals (app IDs, reply URLs, owners, secrets metadata, etc.). 
• Directory.Read.All: Read directory objects (users, groups, roles, devices, policies, contacts, administrative units). 
• User.Read.All: Read all user profiles (names, emails, job info, license assignments, manager/report relationships, sign-in metadata). 
• AuditLog.Read.All: Read audit, sign-in, and provisioning logs (who/what/when, sign-in IPs, conditional access evaluations). 
• Reports.Read.All: Read Microsoft 365 usage and activity reports (Teams, SharePoint, Exchange,Yammer, etc.). 
• DeviceManagementManagedDevices.Read.All: Read Intune-managed device inventory (OS,compliance, hardware info, encryption status, etc.). 

Azure REST API Permissions 

What can we read out from your Azure tenant through these permissions? 

• Microsoft.Advisor/*/read: View cost, security, reliability, performance recommendations. 
• Microsoft.Advisor/generateRecommendations/action: Trigger fresh recommendation generation. 
• Microsoft.Billing/*/read: Read billing accounts, profiles, invoice sections, invoice metadata. 
• Microsoft.Capacity/*/read: Read reservations, reservation orders, quotas. 
• Microsoft.Commerce/*/read: Read legacy RateCard pricing (meter metadata, rates). 
• Microsoft.Consumption/*/read: Read consumption usage details, balances, budgets. 
• Microsoft.CostManagement/*/read: Query cost data, cost details report, exports. 
• Microsoft.Compute/*/read: Read VMs, VMSS, disks, images, quotas, SKUs. 
• Microsoft.ContainerService/*/read: Read AKS clusters, node pools, versions, networking. 
• Microsoft.Resources/*/read: Read subscriptions, resource groups, resources, deployments, policies, tags. 

Summary of data 

With this set, we can pull a full tenant inventory across Azure & Entra ID: user directory & logs, Intune devices, M365 usage, cost & billing data, Azure compute/container resources, reservations, and optimization recommendations. 

Data is read-only: you can view, query, and export, but not modify resources. Some reports (e.g., sign-in logs, billing detail) may also require directory roles like Security Reader or Billing Reader in addition to API permissions.