Microsoft Security Analysis
Microsoft Graph Permissions
Complete list of Microsoft Graph permissions requested by TrustCyber and why each is needed.
TrustCyber uses Microsoft Graph API to collect security and configuration data from your Microsoft 365 environment. All permissions are read-only — TrustCyber never modifies your environment. Below is the complete list of permissions requested during the tenant connection process.
Required Permissions
| Permission | Type | Purpose |
|---|---|---|
| User.Read.All | Application | Read all user accounts to assess identity security and MFA coverage |
| Directory.Read.All | Application | Read directory data including groups, roles, and organizational units |
| Policy.Read.All | Application | Read conditional access policies and authentication policies |
| SecurityEvents.Read.All | Application | Read security alerts and incidents from Microsoft Defender |
| Reports.Read.All | Application | Read Microsoft 365 usage reports and Secure Score data |
| DeviceManagementConfiguration.Read.All | Application | Read Intune device compliance policies and configurations |
| MailboxSettings.Read | Delegated | Read mailbox settings for email security analysis |
| AuditLog.Read.All | Application | Read audit logs for governance and compliance analysis |
TipAll TrustCyber permissions are read-only. We do not request any write, modify, or delete permissions. Your Microsoft environment is never altered by TrustCyber.
Least Privilege Approach
TrustCyber requests only the minimum permissions required to perform each analysis. Permissions are reviewed quarterly and removed if they are no longer needed for platform functionality. Our permission model has been reviewed by Microsoft's ISV security team as part of our Microsoft Partner certification.