Enterprise Application Permissions
When connecting Kindo to Microsoft services, each integration requires an enterprise application registration in your Azure / Entra ID tenant. The tables below list the exact API permissions each application needs.
Microsoft Integrations
Microsoft eDiscovery
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | eDiscovery.Read.All | Read all eDiscovery objects |
| Microsoft Graph | eDiscovery.ReadWrite.All | Read and write all eDiscovery objects |
| Microsoft Graph | User.Read | Sign in and read user profile |
| Microsoft Graph | User.Read.All | Read all users’ full profiles |
Entra ID
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | Application.Read.All | Read applications |
| Microsoft Graph | Application.ReadUpdate.All | Read and update all apps |
| Microsoft Graph | Application.ReadWrite.All | Read and write all applications |
| Microsoft Graph | AuditLog.Read.All | Read audit log data |
| Microsoft Graph | AuditLogsQuery-Entra.Read.All | Read audit logs data from Entra (Azure AD) workload |
| Microsoft Graph | Directory.Read.All | Read directory data |
| Microsoft Graph | Directory.ReadWrite.All | Read and write directory data |
| Microsoft Graph | Group.Read.All | Read all groups |
| Microsoft Graph | Group.ReadWrite.All | Read and write all groups |
| Microsoft Graph | IdentityRiskEvent.Read.All | Read identity risk event information |
| Microsoft Graph | IdentityRiskEvent.ReadWrite.All | Read and write risk event information |
| Microsoft Graph | IdentityRiskyUser.Read.All | Read identity risky user information |
| Microsoft Graph | IdentityRiskyUser.ReadWrite.All | Read and write risky user information |
| Microsoft Graph | offline_access | Maintain access to data you have given it access to |
| Microsoft Graph | Policy.Read.All | Read your organization’s policies |
| Microsoft Graph | Policy.Read.AuthenticationMethod | Read authentication method policies |
| Microsoft Graph | Policy.Read.ConditionalAccess | Read your organization’s conditional access policies |
| Microsoft Graph | Policy.Read.DeviceConfiguration | Read your organization’s device configuration policies |
| Microsoft Graph | Policy.Read.IdentityProtection | Read your organization’s identity protection policy |
| Microsoft Graph | Policy.Read.PermissionGrant | Read consent and permission grant policies |
| Microsoft Graph | Policy.ReadWrite.ConditionalAccess | Read and write your organization’s conditional access policies |
| Microsoft Graph | PrivilegedAccess.Read.AzureAD | Read privileged access to Azure AD |
| Microsoft Graph | PrivilegedAccess.Read.AzureADGroup | Read privileged access to Azure AD groups |
| Microsoft Graph | RoleManagement.Read.All | Read role management data for all RBAC providers |
| Microsoft Graph | RoleManagement.Read.Directory | Read directory RBAC settings |
| Microsoft Graph | RoleManagementAlert.Read.Directory | Read all alert data for your company’s directory |
| Microsoft Graph | RoleManagementPolicy.Read.AzureADGroup | Read all policies in PIM for Groups |
| Microsoft Graph | RoleManagementPolicy.Read.Directory | Read all policies for privileged role assignments of your company’s directory |
| Microsoft Graph | SecurityIdentitiesUserActions.Read.All | Read identity security available user actions |
| Microsoft Graph | SecurityIncident.Read.All | Read incidents |
| Microsoft Graph | User.Read | Sign in and read user profile |
| Microsoft Graph | User.Read.All | Read all users’ full profiles |
| Microsoft Graph | User.ReadBasic.All | Read all users’ basic profiles |
| Microsoft Graph | User.ReadWrite.All | Read and write all users’ full profiles |
| Microsoft Graph | UserAuthenticationMethod.Read | Read user authentication methods |
| Microsoft Graph | UserAuthenticationMethod.Read.All | Read all users’ authentication methods |
Microsoft Defender
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | User.Read | Sign in and read user profile |
| WindowsDefenderATP | Machine.LiveResponse | Run live response on a specific machine |
| WindowsDefenderATP | IntegrationConfiguration.ReadWrite | Read and write integration settings |
| WindowsDefenderATP | Alert.Read | Read alerts |
| WindowsDefenderATP | Alert.ReadWrite | Read and write alerts |
| WindowsDefenderATP | User.Read.All | Read user profiles |
| WindowsDefenderATP | Ip.Read.All | Read IP address profiles |
| WindowsDefenderATP | Url.Read.All | Read URL profiles |
| WindowsDefenderATP | File.Read.All | Read file profiles |
| WindowsDefenderATP | Machine.Offboard | Offboard machine |
| WindowsDefenderATP | Machine.StopAndQuarantine | Stop and quarantine file |
| WindowsDefenderATP | Machine.RestrictExecution | Restrict code execution |
| WindowsDefenderATP | Machine.Scan | Scan machine |
| WindowsDefenderATP | Machine.CollectForensics | Collect forensics |
| WindowsDefenderATP | Machine.Isolate | Isolate machine |
| WindowsDefenderATP | Machine.ReadWrite | Read and write machine information |
| WindowsDefenderATP | Machine.Read | Read machine information |
| WindowsDefenderATP | AdvancedQuery.Read | Run advanced queries |
| WindowsDefenderATP | Ti.ReadWrite | Read and write IOCs |
| WindowsDefenderATP | SecurityRecommendation.Read | Read Threat and Vulnerability Management security recommendations |
| WindowsDefenderATP | Software.Read | Read Threat and Vulnerability Management software information |
| WindowsDefenderATP | Vulnerability.Read | Read Threat and Vulnerability Management vulnerability information |
| WindowsDefenderATP | Score.Read | Read Threat and Vulnerability Management score |
| WindowsDefenderATP | RemediationTasks.Read | Read remediation tasks |
| WindowsDefenderATP | Library.Manage | Manage live response library files |
| WindowsDefenderATP | SecurityConfiguration.Read | Read security configurations |
| WindowsDefenderATP | SecurityConfiguration.ReadWrite | Read and write security configurations |
| WindowsDefenderATP | SecurityBaselinesAssessment.Read | Read security baselines assessment information |
Kindo Teams MCP Server
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | Channel.ReadBasic.All | Read the names and descriptions of channels |
| Microsoft Graph | ChannelMessage.Read.All | Read user channel messages |
| Microsoft Graph | ChannelMessage.ReadWrite | Read and write user channel messages |
| Microsoft Graph | ChannelMessage.Send | Send channel messages |
| Microsoft Graph | Chat.ReadWrite | Read and write user chat messages |
| Microsoft Graph | offline_access | Maintain access to data you have given it access to |
| Microsoft Graph | Team.ReadBasic.All | Read the names and descriptions of teams |
| Microsoft Graph | User.Read | Sign in and read user profile |
Purview Compliance
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | AuditLogsQuery.Read.All | Read audit logs data from all services |
| Microsoft Graph | Content.Process.User | Process content for data security, governance and compliance |
| Microsoft Graph | Files.ReadWrite.All | Have full access to all files user can access |
| Microsoft Graph | InformationProtectionPolicy.Read | Read user sensitivity labels and label policies |
| Microsoft Graph | ProtectionScopes.Compute.User | Compute Purview policies for an individual user |
| Microsoft Graph | SecurityAlert.ReadWrite.All | Read and write to all security alerts |
| Microsoft Graph | SecurityIncident.ReadWrite.All | Read and write to incidents |
| Microsoft Graph | ThreatHunting.Read.All | Run hunting queries |
| Microsoft Graph | User.Read | Sign in and read user profile |
| Microsoft Graph | User.Read.All | Read all users’ full profiles |
Purview MCP
| API | Permission | Description |
|---|---|---|
| Microsoft Purview | Purview.DelegatedAccess | Purview Delegated API Access |
| Microsoft Graph | User.Read | Sign in and read user profile |
Intune
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | DeviceManagementApps.Read.All | Read Microsoft Intune apps |
| Microsoft Graph | DeviceManagementConfiguration.Read.All | Read Microsoft Intune Device Configuration and Policies |
| Microsoft Graph | DeviceManagementManagedDevices.PrivilegedOperations.All | Perform user-impacting remote actions on Microsoft Intune devices |
| Microsoft Graph | DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices |
| Microsoft Graph | User.Read | Sign in and read user profile |
Outlook Calendar
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | Calendars.Read | Read user calendars |
| Microsoft Graph | Calendars.Read.Shared | Read user and shared calendars |
| Microsoft Graph | Calendars.ReadBasic | Read basic details of user calendars |
| Microsoft Graph | Calendars.ReadWrite | Have full access to user calendars |
| Microsoft Graph | Calendars.ReadWrite.Shared | Read and write user and shared calendars |
| Microsoft Graph | Contacts.Read | Read user contacts |
| Microsoft Graph | People.Read | Read users’ relevant people lists |
| Microsoft Graph | User.Read | Sign in and read user profile |
Entra ID Governance
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | AccessReview.Read.All | Read all access reviews that user can access |
| Microsoft Graph | AccessReview.ReadWrite.All | Manage all access reviews that user can access |
| Microsoft Graph | Directory.Read.All | Read directory data |
| Microsoft Graph | Directory.ReadWrite.All | Read and write directory data |
| Microsoft Graph | EntitlementManagement.ReadWrite.All | Read and write entitlement management resources |
| Microsoft Graph | LifecycleWorkflows-Reports.Read.All | Read all Lifecycle workflows reports |
| Microsoft Graph | LifecycleWorkflows-Workflow.Activate | Run workflows on-demand in Lifecycle workflows |
| Microsoft Graph | LifecycleWorkflows-Workflow.Read.All | Read all workflows in Lifecycle workflows |
| Microsoft Graph | LifecycleWorkflows-Workflow.ReadBasic.All | List all workflows in Lifecycle workflows |
| Microsoft Graph | PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup | Read, create, and delete assignment schedules for access to Azure AD groups |
| Microsoft Graph | PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup | Read, create, and delete eligibility schedules for access to Azure AD groups |
| Microsoft Graph | RoleAssignmentSchedule.ReadWrite.Directory | Read, update, and delete all active role assignments for your company’s directory |
| Microsoft Graph | RoleEligibilitySchedule.ReadWrite.Directory | Read, update, and delete all eligible role assignments for your company’s directory |
| Microsoft Graph | RoleManagement.Read.Directory | Read directory RBAC settings |
| Microsoft Graph | User.Read | Sign in and read user profile |
Graph Explorer
Admin Consent
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | openid | Sign users in |
| Microsoft Graph | profile | View users’ basic profile |
| Microsoft Graph | User.Read | Sign in and read user profile |
| Microsoft Graph | offline_access | Maintain access to data you have given it access to |
| Microsoft Graph | Application.ReadWrite.All | Read and write all applications |
User Consent
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | openid | Sign users in |
| Microsoft Graph | profile | View users’ basic profile |
| Microsoft Graph | User.Read | Sign in and read user profile |
| Microsoft Graph | offline_access | Maintain access to data you have given it access to |
| Microsoft Graph | Team.ReadBasic.All | Read the names and descriptions of teams |
| Microsoft Graph | Directory.Read.All | Read directory data |
| Microsoft Graph | Directory.ReadWrite.All | Read and write directory data |
| Microsoft Graph | TeamSettings.Read.All | Read teams’ settings |
| Microsoft Graph | TeamSettings.ReadWrite.All | Read and change teams’ settings |
| Microsoft Graph | User.Read.All | Read all users’ full profiles |
| Microsoft Graph | User.ReadWrite.All | Read and write all users’ full profiles |
| Microsoft Graph | ChannelMessage.Send | Send channel messages |
| Microsoft Graph | TeamMember.Read.All | Read the members of teams |
| Microsoft Graph | Channel.ReadBasic.All | Read the names and descriptions of channels |
| Microsoft Graph | Group.Read.All | Read all groups |
| Microsoft Graph | Chat.Create | Create chats |
| Microsoft Graph | Chat.ReadWrite | Read and write user chat messages |
| Microsoft Graph | TeamworkTag.Read | Read tags in Teams |
| Microsoft Graph | TeamworkTag.ReadWrite | Read and write tags in Teams |
| Microsoft Graph | ChannelMessage.Read.All | Read user channel messages |
| Microsoft Graph | Group.ReadWrite.All | Read and write all groups |
| Microsoft Graph | User.ReadBasic.All | Read all users’ basic profiles |
| Microsoft Graph | User.ReadWrite | Read and write access to user profile |
Excel Online
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | Files.ReadWrite | Have full access to user files |
| Microsoft Graph | Files.ReadWrite.All | Have full access to all files user can access |
| Microsoft Graph | Sites.ReadWrite.All | Edit or delete items in all site collections |
| Microsoft Graph | User.Read | Sign in and read user profile |
Graph Security MCP
Application Permissions
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | SecurityAlert.ReadWrite.All | Read and write to all security alerts |
| Microsoft Graph | SecurityEvents.Read.All | Read your organization’s security events |
| Microsoft Graph | SecurityAlert.Read.All | Read all security alerts |
| Microsoft Graph | SecurityIncident.Read.All | Read all security incidents |
| Microsoft Graph | SecurityIncident.ReadWrite.All | Read and write to all security incidents |
| Microsoft Graph | ThreatHunting.Read.All | Run hunting queries |
Delegated Permissions
| API | Permission | Description |
|---|---|---|
| Microsoft Graph | SecurityAlert.Read.All | Read all security alerts |
| Microsoft Graph | SecurityAlert.ReadWrite.All | Read and write to all security alerts |
| Microsoft Graph | SecurityEvents.Read.All | Read your organization’s security events |
| Microsoft Graph | SecurityIncident.Read.All | Read incidents |
| Microsoft Graph | SecurityIncident.ReadWrite.All | Read and write to incidents |
| Microsoft Graph | ThreatHunting.Read.All | Run hunting queries |
| Microsoft Graph | User.Read | Sign in and read user profile |