Griffin31 Connector Permission
Griffin31 Connector Permissions
Section titled “Griffin31 Connector Permissions”Overview
Section titled “Overview”When connecting Griffin31 to a Microsoft 365 tenant, specific permissions are required to enable access to necessary resources for security assessments.
Griffin31 operates without any write permissions in your Microsoft 365 tenant, ensuring it cannot alter any settings or configurations within the environment. Additionally, Griffin31 does not have access to any user data, such as files and emails stored within the tenant.
The platform is designed for read-only security assessments, focusing solely on identifying misconfigurations and vulnerabilities while maintaining strict adherence to data privacy and security protocols.
Security-First Design
Section titled “Security-First Design”Privacy Protection
Section titled “Privacy Protection”- No Write Access: Cannot modify tenant settings or configurations
- No User Data Access: Files and emails remain completely inaccessible
- Read-Only Operations: Solely focused on security assessment and monitoring
Compliance Assurance
Section titled “Compliance Assurance”Your organization’s data remains fully protected and inaccessible to Griffin31, ensuring complete compliance with data protection regulations.
API Permissions Breakdown
Section titled “API Permissions Breakdown”| Permission | Purpose | Security Assessment Value |
|---|---|---|
| AppCatalog.Read.All | Monitor app catalogs | Ensures no unapproved apps compromise security |
| Application.Read.All | Review all applications | Detects potential vulnerabilities in integrated apps |
| AuditLog.Read.All | Access audit log data | Tracks changes and generates security audit trails |
| Channel.ReadBasic.All | Read Teams channel names | Monitors collaboration and prevents unauthorized channels |
| ChannelMember.Read.All | Access Teams channel members | Ensures only authorized users access specific channels |
| ChannelSettings.Read.All | Read Teams channel settings | Validates proper configuration and permissions |
| DeviceManagementApps.Read.All | Monitor Intune apps | Ensures compliant and secure applications on devices |
| DeviceManagementConfiguration.Read.All | Review Intune configurations | Monitors compliance and security configurations |
| Directory.Read.All | Access directory data | Maintains overview of assets and assesses permissions |
| Domain.Read.All | Read domain information | Monitors domain configuration and security |
| Group.Read.All | Access group data | Reviews group memberships and access controls |
| IdentityProvider.Read.All | Review identity providers | Evaluates security of identity sources |
| IdentityRiskEvent.Read.All | Access identity risk events | Monitors and assesses identity protection risks |
| IdentityRiskyServicePrincipal.Read.All | Read risky service principals | Identifies potentially compromised service accounts |
| IdentityRiskyUser.Read.All | Access risky user information | Monitors users flagged for security risks |
| InformationProtectionPolicy.Read.All | Read protection policies | Assesses data classification and protection policies |
| MailboxSettings.Read | Access mailbox settings | Monitors email configurations and security |
| offline_access (Delegated) | Maintain session continuity | Ensures ongoing security assessment access |
| openid (Delegated) | User authentication | Required for Microsoft 365 resource access |
| Organization.Read.All | Read organization information | Assesses organizational structure and policies |
| OrgSettings-AppsAndServices.Read.All | Access apps and services settings | Monitors application and service security |
| OrgSettings-Forms.Read.All | Read Forms settings | Assesses Microsoft Forms security configuration |
| Policy.Read.All | Access organizational policies | Ensures security and compliance policy enforcement |
| profile (Delegated) | View basic user profile | Required for authentication user information |
| RoleManagement.Read.All | Read role management data | Assesses role-based access control configurations |
| SharePointTenantSettings.Read.All | Access SharePoint settings | Monitors secure configurations and file-sharing |
| Team.ReadBasic.All | List all teams | Provides Teams configuration overview |
| TeamMember.Read.All | Read team members | Ensures authorized user access to Teams |
| TeamSettings.Read.All | Access Teams settings | Evaluates Microsoft Teams security settings |
| User.Read (Delegated) | Sign in and read profile | Required for user authentication |
| User.Read.All | Access full user profiles | Monitors user activity and security |
| UserAuthenticationMethod.Read.All | Read authentication methods | Assesses authentication protocols like MFA |
| Exchange.ManageAsApp (Application) | Access Exchange configurations | Enables Exchange Online security assessment |
Permission Categories
Section titled “Permission Categories”Identity & Access Management
Section titled “Identity & Access Management”- Directory.Read.All
- User.Read.All
- UserAuthenticationMethod.Read.All
- IdentityRiskEvent.Read.All
- IdentityRiskyUser.Read.All
- IdentityRiskyServicePrincipal.Read.All
Application & Service Security
Section titled “Application & Service Security”- Application.Read.All
- AppCatalog.Read.All
- DeviceManagementApps.Read.All
- DeviceManagementConfiguration.Read.All
Collaboration & Communication
Section titled “Collaboration & Communication”- Channel.ReadBasic.All
- ChannelMember.Read.All
- ChannelSettings.Read.All
- Team.ReadBasic.All
- TeamMember.Read.All
- TeamSettings.Read.All
- MailboxSettings.Read
Policy & Compliance
Section titled “Policy & Compliance”- Policy.Read.All
- AuditLog.Read.All
- InformationProtectionPolicy.Read.All
- OrgSettings-AppsAndServices.Read.All
- OrgSettings-Forms.Read.All
Conclusion
Section titled “Conclusion”Key Takeaway: These permissions provide Griffin31 with the necessary visibility into Microsoft 365’s various components to monitor, assess, and ensure robust security practices across the tenant while maintaining strict read-only access and data privacy protection.