Enterprise App Permissions Reference
Table of Contents
This document provides a comprehensive list of the Microsoft 365 permissions required by the Syncro Enterprise Application. These permissions allow the integration to synchronize data, manage users, monitor device health, and perform administrative actions within your Microsoft 365 environment.
The Syncro Enterprise Apps permissions were last updated on April 1, 2026 as a part of the enhancements to baselines.
-
OrgSettings-Forms.Read.All (Application Permission) for:
CIS 1.3.5 Internal Phishing Protection For Forms Is Enabled -
OrgSettings-AppsAndServices.Read.All (Application Permission) for:
CIS 5.1.5.1 User Consent To Apps Accessing Company Data On Their Behalf Is Not Allowed -
Sites.FullControl.All (Application Permission) for:
SharePoint Rules -
AccessReview.Read.All (Application Permission) for:
CIS 5.3.2 'Access reviews' for Guest Users are configured
CIS 5.3.3 'Access reviews' for privileged roles are configured -
AuditLog.Read.All (Application Permission) for:
CIS 5.2.3.4 All member users are ‘MFA capable’ -
RoleEligibilitySchedule.Read.Directory (Application Permission) for:
CIS 5.3.1 'Privileged Identity Management' is used to manage roles' -
RoleManagementPolicy.Read.Directory (Application Permission) for:
CIS 5.3.4 Approval is required for Global Administrator role activation
CIS 5.3.5 Approval is required for Privileged Role Administrator activation - Exchange Admin for: All Exchange Rules
- Compliance Administrator for: All DLP Rules
Microsoft Graph Permissions
| Type | Permission (Claim) | Description |
|---|---|---|
| Application | AccessReview.Read.All | Read all access reviews |
| Application | Application.ReadWrite.All | Read and write all applications |
| Application | AuditLog.Read.All | Read all audit log data |
| Application | Channel.Create | Create channels |
| Application | Channel.ReadBasic.All | Read the names and descriptions of all channels |
| Application | ChannelMember.Read.All | Read the members of all channels |
| Application | ChannelMember.ReadWrite.All | Add and remove members from all channels |
| Application | CrossTenantInformation.ReadBasic.All | Read cross-tenant basic information |
| Application | Device.ReadWrite.All | Read and write devices |
| Application | DeviceManagementApps.ReadWrite.All | Read and write Microsoft Intune apps |
| Application | DeviceManagementConfiguration.ReadWrite.All | Read and write Microsoft Intune device configuration and policies |
| Application | DeviceManagementManagedDevices.PrivilegedOperations.All | Perform user-impacting remote actions on Intune devices |
| Application | DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices |
| Application | DeviceManagementManagedDevices.ReadWrite.All | Read and write Microsoft Intune devices |
| Application | DeviceManagementRBAC.Read.All | Read Microsoft Intune RBAC settings |
| Application | DeviceManagementRBAC.ReadWrite.All | Read and write Microsoft Intune RBAC settings |
| Application | DeviceManagementServiceConfig.Read.All | Read Microsoft Intune configuration |
| Application | DeviceManagementServiceConfig.ReadWrite.All | Read and write Microsoft Intune configuration |
| Application | Directory.Read.All | Read directory data |
| Application | Directory.ReadWrite.All | Read and write directory data |
| Application | Domain.Read.All | Read domains |
| Application | Files.ReadWrite.All | Read and write files in all site collections |
| Application | Group.Create | Create groups |
| Application | Group.Read.All | Read all groups |
| Application | Group.ReadWrite.All | Read and write all groups |
| Application | GroupMember.ReadWrite.All | Read and write all group memberships |
| Application | Mail.Send | Send mail as any user |
| Application | OrgSettings-Forms.Read.All | Read organization-wide Microsoft Forms settings |
| Application | Organization.ReadWrite.All | Read and write organization information |
| Application | PeopleSettings.ReadWrite.All | Read and write all tenant-wide people settings |
| Application | Place.Read.All | Read all company places |
| Application | Policy.Read.All | Read your organization's policies |
| Application | Policy.ReadWrite.ApplicationConfiguration | Read and write application configuration policies |
| Application | Policy.ReadWrite.AuthenticationFlows | Read and write authentication flow policies |
| Application | Policy.ReadWrite.AuthenticationMethod | Read and write all authentication method policies |
| Application | Policy.ReadWrite.ConditionalAccess | Read and write conditional access policies |
| Application | Policy.ReadWrite.ConsentRequest | Read and write consent request policy |
| Application | Policy.ReadWrite.CrossTenantAccess | Read and write cross tenant access policies |
| Application | PrivilegedAccess.ReadWrite.AzureADGroup | Read and write privileged access to Azure AD groups |
| Application | ReportSettings.ReadWrite.All | Read and write all admin report settings |
| Application | Reports.Read.All | Read all usage reports |
| Application | RoleAssignmentSchedule.Read.Directory | Read active role assignments and schedules |
| Application | RoleEligibilitySchedule.Read.Directory | Read eligible role assignments and schedules |
| Application | RoleManagementPolicy.Read.Directory | Read policies for privileged role assignments |
| Application | SecurityEvents.Read.All | Read your organization’s security events |
| Application | SecurityIncident.Read.All | Read all security incidents |
| Application | SecurityIncident.ReadWrite.All |
Read and write to all security incidents
|
|
Application
|
SharePointTenantSettings.ReadWrite.All |
Read and change SharePoint and OneDrive settings |
Application |
Sites.FullControl.All |
Have full control of all site collections |
Application |
TeamMember.ReadWrite.All |
Add and remove members from all teams |
Application |
TeamMember.ReadWriteNonOwnerRole.All |
Add and remove members with non-owner role |
Application |
User.ReadWrite.All |
Read and write all users' full profiles |
Application |
UserAuthenticationMethod.ReadWrite.All |
Read and write all users' authentication methods |
Delegated |
AppRoleAssignment.ReadWrite.All |
Read and write app role assignments |
Delegated |
Application.ReadWrite.All |
Read and write all applications |
Delegated |
AuditLog.Read.All |
Read all audit log data |
Delegated |
BitlockerKey.Read.All |
Read all BitLocker keys |
Delegated |
Channel.Create |
Create channels |
Delegated |
Channel.Delete.All |
Delete all channels |
Delegated |
Channel.ReadBasic.All |
Read basic channel information |
Delegated |
ChannelMember.Read.All |
Read all channel members |
Delegated |
ChannelMember.ReadWrite.All |
Add and remove channel members |
Delegated |
ChannelMessage.Edit |
Edit channel messages |
Delegated |
ChannelMessage.Read.All |
Read all channel messages |
Delegated |
ChannelMessage.Send |
Send channel messages |
Delegated |
ChannelSettings.Read.All |
Read all channel settings |
Delegated |
ChannelSettings.ReadWrite.All |
Read and write all channel settings |
Delegated |
ConsentRequest.Read.All |
Read all consent requests |
Delegated |
DelegatedAdminRelationship.ReadWrite.All |
Manage delegated admin relationships |
Delegated |
Device.Command |
Send commands to devices |
Delegated |
Device.Read |
Read devices |
Delegated |
Device.Read.All |
Read all devices |
Delegated |
DeviceLocalCredential.Read.All |
Read all device local credentials |
Delegated |
DeviceManagementApps.ReadWrite.All |
Read and write Intune apps |
Delegated |
DeviceManagementConfiguration.ReadWrite.All |
Read and write Intune device configurations |
Delegated |
DeviceManagementManagedDevices.PrivilegedOperations.All |
Perform privileged actions on Intune devices |
Delegated |
DeviceManagementManagedDevices.ReadWrite.All |
Read and write Intune devices |
Delegated |
DeviceManagementRBAC.ReadWrite.All |
Read and write Intune RBAC settings |
Delegated |
DeviceManagementServiceConfig.ReadWrite.All |
Read and write Intune service configurations |
Delegated |
Directory.AccessAsUser.All |
Access directory as the signed-in user |
Delegated |
Domain.Read.All |
Read domains |
Delegated |
Group.ReadWrite.All |
Read and write all groups |
Delegated |
GroupMember.ReadWrite.All |
Read and write all group memberships |
Delegated |
IdentityRiskEvent.ReadWrite.All |
Read and write identity risk events |
Delegated |
IdentityRiskyServicePrincipal.ReadWrite.All |
Read and write risky service principals |
Delegated |
IdentityRiskyUser.ReadWrite.All |
Read and write risky users |
Delegated |
Mail.Send |
Send mail as the user |
Delegated |
Mail.Send.Shared |
Send mail from shared mailboxes |
Delegated |
Member.Read.Hidden |
Read hidden memberships |
Delegated |
Organization.ReadWrite.All |
Read and write organization information |
Delegated |
PeopleSettings.ReadWrite.All |
Read and write people settings |
Delegated |
Place.ReadWrite.All |
Read and write company places |
Delegated |
Policy.Read.All |
Read organization policies |
Delegated |
Policy.ReadWrite.ApplicationConfiguration |
Read and write app configuration policies |
Delegated |
Policy.ReadWrite.AuthenticationFlows |
Read and write authentication flows |
Delegated |
Policy.ReadWrite.AuthenticationMethod |
Read and write authentication methods |
Delegated |
Policy.ReadWrite.Authorization |
Read and write authorization policies |
Delegated |
Policy.ReadWrite.ConditionalAccess |
Read and write conditional access policies |
Delegated |
Policy.ReadWrite.ConsentRequest |
Read and write consent request policies |
Delegated |
Policy.ReadWrite.DeviceConfiguration |
Read and write device configurations |
Delegated |
PrivilegedAccess.Read.AzureResources |
Read privileged access to Azure resources |
Delegated |
PrivilegedAccess.ReadWrite.AzureResources |
Manage privileged access to Azure resources |
Delegated |
ReportSettings.ReadWrite.All |
Manage admin report settings |
Delegated |
Reports.Read.All |
Read usage reports |
Delegated |
RoleManagement.ReadWrite.Directory |
Manage directory role assignments |
Delegated |
SecurityActions.ReadWrite.All |
Manage security actions |
Delegated |
SecurityEvents.ReadWrite.All |
Manage security events |
Delegated |
SecurityIncident.ReadWrite.All |
Manage security incidents |
Delegated |
ServiceHealth.Read.All |
Read service health |
Delegated |
ServiceMessage.Read.All |
Read service messages |
Delegated |
SharePointTenantSettings.ReadWrite.All |
Manage SharePoint tenant settings |
Delegated |
Sites.ReadWrite.All |
Read and write all site collections |
Delegated |
Team.Create |
Create teams |
Delegated |
Team.ReadBasic.All |
Read basic team information |
Delegated |
TeamMember.ReadWrite.All |
Manage team members |
Delegated |
TeamMember.ReadWriteNonOwnerRole.All |
Manage non-owner team members |
Delegated |
TeamSettings.Read.All |
Read team settings |
Delegated |
TeamSettings.ReadWrite.All |
Manage team settings |
Delegated |
TeamsActivity.Read |
Read Teams activity |
Delegated |
TeamsTab.Create |
Create Teams tabs |
Delegated |
TeamsTab.ReadWrite.All |
Manage Teams tabs |
Delegated |
ThreatAssessment.ReadWrite.All |
Manage threat assessments |
Delegated |
UnifiedGroupMember.Read.AsGuest |
Read group members as guest |
Delegated |
User.ManageIdentities.All |
Manage user identities |
Delegated |
User.ReadWrite.All |
Manage user profiles |
Delegated |
UserAuthenticationMethod.Read.All |
Read user authentication methods |
Delegated |
UserAuthenticationMethod.ReadWrite |
Manage user authentication methods |
Delegated |
UserAuthenticationMethod.ReadWrite.All |
Manage all users' authentication methods |
Delegated |
offline_access |
Maintain access to data the app has been given access to |
Delegated |
openid |
Sign users in |
Delegated |
profile |
View users' basic profile |
Office 365 Exchange Online
Used for managing user mailbox settings, calendars, and organizational Exchange configurations.
| Type | Permission (Claim) | Description |
|---|---|---|
Application |
Exchange.ManageAsApp |
Manage Exchange as an Application |
Application |
Calendars.ReadWrite.All |
Read and write calendars in all mailboxes |
Application |
MailboxSettings.ReadWrite |
Read and write all user mailbox settings |
Delegated |
Exchange.Manage |
Manage Exchange Online |
Delegated |
Calendars.ReadWrite.All |
Read and write calendars |
Delegated |
MailboxSettings.ReadWrite |
Read and write mailbox settings |
Office 365 SharePoint Online
Used for deep interaction with SharePoint site collections and file storage settings.
| Type | Permission (Claim) | Description |
|---|---|---|
| Application | Sites.FullControl.All |
Full control of all site collections |
Delegated |
AllSites.FullControl |
Full control of all site collections (as user) |
Additional Management APIs
These specialized APIs allow Syncro to monitor service health and manage specific M365 licensing features.
| Resource | Type | Claim Value |
|---|---|---|
Skype/Teams Admin |
Delegated |
user_impersonation |
O365 Management |
Delegated |
ActivityFeed.Read |
M365 License Manager |
Delegated |
LicenseManager.AccessAsUser |