Getting Started, FAQ
Microsoft App Registration & Permissions
CloudCapsule uses two separate Microsoft app registrations depending on your plan and the level of access granted within a tenant. This article explains what each registration does, the permissions it requests, and why they are needed.
Understanding the Two App Registrations
CloudCapsule registers two apps in Microsoft depending on the features you use:
- CloudCapsule — The core assessment and visibility app. This registration operates on a read-only model wherever possible. A small number of write permissions are used exclusively to manage CloudCapsule's own access, such as allowing you to revoke permissions or remove the app from a tenant entirely.
- CloudCapsule-Manage — A separate app registration that enables remediation and policy management features in addition to the base Analyze capabilities. This app follows the same least-permissive philosophy, requesting only the additional write permissions required to take action on your behalf. By consenting to Manage, you do not need to also consent to Analyze separately.
Neither application ever requests more access than is needed for its specific function. CloudCapsule never automatically pushes changes to a tenant. Every remediation and policy action must be explicitly initiated by a user within the app. All actions are recorded in a full activity log, giving you complete visibility into what was changed, by whom, and when.
Data Privacy
The data privacy of a tenant is of utmost importance to our team. If you have any questions or concerns about how CloudCapsule accesses or handles tenant data, please contact us at support@cloudcapsule.io.
CloudCapsule — Permission Details
All permissions below are Microsoft Graph unless otherwise noted.
Read Permissions
These permissions allow CloudCapsule to assess your tenant's security posture without making any changes.
| Permission | Purpose |
|---|---|
AuditLog.Read.All |
Read all audit log data for sign-in information and suspicious user activity. |
DelegatedAdminRelationship.Read.All |
Read Delegated Admin relationships with customers. Used to pull in all tenants under an MSP partner tenant. |
DeviceManagementApps.Read.All |
Read Microsoft Intune apps. |
DeviceManagementConfiguration.Read.All |
Read Microsoft Intune device configuration and policies. |
DeviceManagementManagedDevices.Read.All |
Read Microsoft Intune devices. |
DeviceManagementScripts.Read.All |
Read Microsoft Intune scripts. Used to assess deployed Intune script configurations. |
DeviceManagementServiceConfig.Read.All |
Read Microsoft Intune configuration. |
email |
View users' email address. Used for SSO. |
GroupMember.Read.All |
Read all group memberships. |
IdentityRiskEvent.Read.All |
Read all identity risk event information. |
MailboxSettings.Read |
Read all user mailbox settings. |
offline_access |
Maintain access to data you have given it access to. Used for SSO. |
openid |
Sign users in. Used for SSO. |
Organization.Read.All |
Read organization information. |
OrganizationalBranding.Read.All |
Read organizational branding information. |
OrgSettings-AppsAndServices.Read.All |
Read organization-wide app and service settings. Used to assess org-level app configurations. |
Policy.Read.All |
Read your organization's policies such as Conditional Access. |
profile |
View users' basic profile. Used for SSO. |
Reports.Read.All |
Read all usage reports. |
SecurityAlert.Read.All |
Read all security alerts. |
SecurityEvents.Read.All |
Read your organization's security events. |
SharePointTenantSettings.Read.All |
Read SharePoint and OneDrive tenant settings. |
Sites.Read.All |
Read all site collections. Used to pull in details about SharePoint sites. |
Team.ReadBasic.All |
Get a list of all teams. |
TeamSettings.Read.All |
Read all teams' settings. |
User.Read |
Sign in and read user profile. Used for SSO. |
User.Read.All |
Read all users' full profiles. |
UserAuthenticationMethod.Read.All |
Read all users' authentication methods. |
Office 365 Exchange Online
| Permission | Purpose |
|---|---|
Exchange.ManageAsApp |
Manage Exchange as Application. Used to retrieve Exchange policies. Read-only calls are made in the Analyze SKU. |
Windows Defender ATP
| Permission | Purpose |
|---|---|
Alert.Read.All |
Read all alerts. |
Machine.Read.All |
Read all machine profiles. |
Score.Read.All |
Read Threat and Vulnerability Management score. |
SecurityRecommendation.Read.All |
Read Threat and Vulnerability Management security recommendations. |
Software.Read.All |
Read Threat and Vulnerability Management software information. |
Vulnerability.Read.All |
Read Threat and Vulnerability Management vulnerability information. |
Write Permissions
The following permissions require write access. In each case, this is either the minimum permission level available from Microsoft to accomplish the task or is scoped specifically to CloudCapsule's own app registration. No write permission is used to make unsolicited changes to your tenant.
| Permission | Purpose |
|---|---|
Application.ReadWrite.All |
Read all Enterprise Applications in the account. Delete CloudCapsule from the platform to completely remove access to the tenant programmatically. |
Policy.ReadWrite.AuthenticationMethod |
This is currently the least possible permission available to retrieve authentication flow data. There is no read-only method available for this data. |
ReportSettings.ReadWrite.All |
Used to anonymize report data if it is not already enabled. |
RoleManagement.ReadWrite.Directory |
Required for Teams and Exchange because Microsoft does not provide Graph APIs to retrieve policy data without write permissions for the role assignment. Uses an app consent model to retrieve data through PowerShell. This permission can be removed from the Enterprise app after the initial consent. |
CloudCapsule-Manage — Additional Permissions
CloudCapsule-Manage includes all permissions from the base CloudCapsule app registration, plus the following additions and elevated permissions required to support remediation and policy management. These are only requested when the Manage app registration is deployed.
As with the base app, CloudCapsule-Manage never automatically pushes changes to a tenant. Every action must be explicitly initiated by a user within the app and is recorded in the activity log.
Microsoft Graph — Additions & Elevated Permissions
| Permission | Type | Purpose |
|---|---|---|
Device.ReadWrite.All |
New | Read and write devices. Used to take remediation actions on managed devices such as disabling stale devices. |
DeviceManagementConfiguration.ReadWrite.All |
Elevated | Read and write Microsoft Intune device configuration and policies. Required to apply and update device configuration policies as part of remediation. |
DeviceManagementServiceConfig.ReadWrite.All |
Elevated | Read and write Microsoft Intune service configuration. Required to manage Intune service-level settings during remediation. |
Directory.ReadWrite.All |
Elevated | Read and write directory data. Required to apply directory-level changes such as group and user modifications as part of remediation actions. |
Domain.ReadWrite.All |
New | Read and write domains. Used to support domain-level configuration changes during remediation. |
Group.ReadWrite.All |
New | Read and write all groups. Used to create, modify, or remove groups as part of policy or remediation workflows. |
GroupMember.ReadWrite.All |
Elevated | Read and write all group memberships. Used to manage group membership changes during remediation. |
GroupSettings.ReadWrite.All |
New | Read and write all group settings. Used to apply group-level configuration changes. |
OrgSettings-AppsAndServices.ReadWrite.All |
Elevated | Read and write organization-wide app and service settings. Used to apply changes to org-level app configurations during remediation. |
Policy.ReadWrite.ApplicationConfiguration |
New | Read and write your organization's application configuration policies. Used to manage app-level policy settings. |
Policy.ReadWrite.Authorization |
New | Read and write your organization's authorization policy. Used to manage authorization policy settings during remediation. |
Policy.ReadWrite.ConditionalAccess |
New | Read and write your organization's Conditional Access policies. Used to create or modify Conditional Access policies as part of policy management workflows. |
Policy.ReadWrite.ConsentRequest |
New | Read and write your organization's consent request policy. Used to manage consent request policy settings. |
Policy.ReadWrite.DeviceConfiguration |
New | Read and write your organization's device configuration policies. Used to apply device policy changes during remediation. |
Policy.ReadWrite.PermissionGrant |
New | Manage consent and permission grant policies. Used to control permission grant policies as part of remediation. |
User.ReadWrite.All |
Elevated | Read and write all users' full profiles. Used to apply user-level changes during remediation workflows. |
User.EnableDisableAccount.All |
New | Enable and disable user accounts. Used to take action on compromised or non-compliant user accounts as part of remediation. |
User.RevokeSessions.All |
New | Revoke all sign-in sessions for a user. Used to immediately terminate active sessions for compromised accounts. |
When to Contact Support
For questions about app registrations, permissions, or data privacy that cannot be resolved through this article, reach out directly.
Email: support@cloudcapsule.io
In-app: Navigate to Support and open a new ticket.