Issue:
What exact permissions does the account used to connect between Microsoft 365 and WithSecure require?
Resolution:
The following permissions are required for the account which connects between Microsoft 365 and WithSecure:
Exchange:
- Read all users' full profiles
- Read all audit log data
- Read all usage reports
- Read and write mail in all mailboxes
- Read and write contacts in all mailboxes
- Read and write calendars in all mailboxes
- Read domains
- Read activity data for you organization
- Read service health information of you organization
- Use Exchange Web Services with full access to all mailboxes
- Sign in and read user profile
- Read directory data
Sharepoint and Teams:
- Sign in and read user profile
- Send channel messages
- Send user chat messages
- Read all groups
- Read domains
- Create, edit, and delete items and lists in all site collections
- Read and write items and lists in all site collections
- Have full control of all site collections
OneDrive:
- Read and write items and lists in all site collections
- Have full control of all site collections
- Sign in and read user profile
- Read and write files in all site collections
- Read all users' full profiles
- Read domains
Important note: Some of the above mentioned permissions sounds like a lot, but we are using the minimum permissions needed in order for our solution to operate correctly.
For example: in Sharepoint and Teams; the last one is "Have full control of all site collections"
This permission is only used by us to create the quarantine zone of which we send the files to.
WithSecure does not do anything else with this permission, but since this is the minimum one required, we have to request it.
Article no: 000042271