Required permissions in the Entra ID account
Permission |
Scope |
Why CWP needs it |
|---|---|---|
Application.ReadWrite.OwnedBy |
Application |
Allows CWP to remove its own app object during connector deprovisioning and lifecycle cleanup. |
Device.ReadWrite.All |
Application |
Enables response action to disable compromised device objects in Entra ID. |
User-PasswordProfile.ReadWrite.All |
Application |
Enables password reset response action for compromised user accounts. |
User.EnableDisableAccount.All |
Application |
Enables response action to disable user accounts and stop unauthorized access. |
User.RevokeSessions.All |
Application |
Enables forced sign-out by revoking active user sessions or tokens after suspicious activity. |
Application.Read.All |
Application |
Read access to app and service principal identities for identity protection use cases. |
Policy.Read.All |
Application |
Read access to Entra ID security and authorization policies for posture checks. |
User.Read.All |
Application |
Read organization user profiles for identity protection and posture evaluation. |
GroupSetting.Read.All |
Application |
Read group settings needed for CSPM policy and risk evaluation. |
RoleManagement.Read.Directory |
Application |
Read directory RBAC role assignments and settings for privileged-role exposure checks. |
GroupMember.Read.All |
Application |
Read group memberships, including transitive memberships. |
UserAuthenticationMethod.Read.All |
Application |
Read users’ authentication methods for security posture checks. |
Azure Event Hubs Data Receiver |
Azure RBAC |
Allows CWP to consume Entra ID diagnostic logs from Event Hubs. |