Skip to content

Azure permissions reference

This page is reference-only. Use it while configuring Azure RM for vScope or troubleshooting missing data.

Microsoft Graph application permissions

Service area	Permission value	What it unlocks
AuditLog	`AuditLog.Read.All`	Read audit log data
DeviceManagementApps	`DeviceManagementApps.Read.All`	Intune apps and assignments
DeviceManagementConfiguration	`DeviceManagementConfiguration.Read.All`	Intune device configs and policies
DeviceManagementManagedDevices	`DeviceManagementManagedDevices.Read.All`	Intune-managed devices
Directory	`Directory.Read.All`	Azure AD / Entra directory data
Groups	`Group.Read.All`	Groups and memberships
Policy	`Policy.Read.All`	Policy definitions
Reports	`Reports.Read.All`	Usage reports
SharePoint	`Sites.Read.All`	SharePoint site data
Teams	`Team.ReadBasic.All`	Basic Teams info

Defender for Endpoint application permissions

Service area	Permission value	What it unlocks
AdvancedQuery	`AdvancedQuery.Read.All`	Advanced hunting queries
Machine	`Machine.Read.All`	Defender device inventory

All listed Graph and Defender permissions require Grant admin consent after adding.

Azure RBAC

Assign Reader on every subscription you want inventoried (or an equivalent read role with no write privileges).
RBAC scope can be subscription, resource group, or resource; subscription-level is recommended to avoid gaps.