Permissions Explained

A complete breakdown of every Microsoft Graph permission IdentityOps requests, why it's needed, and what data it reads.

Applies to: All plansModule: Security

Read-only enforced by Microsoft Graph. No write scopes. No background agents.

How IdentityOps accesses your data

IdentityOps uses delegated Microsoft Graph permissions. This means every API call runs in the context of the signed-in user — not as a background service or daemon. IdentityOps can only read what your admin account is authorized to see, and only while an active session exists.

There are no application-level permissions, no client secrets stored in your tenant, and no background processes polling your data. Every scan is initiated by a user session or a scheduled job that uses a securely stored refresh token.

Core permissions

These permissions are required for all IdentityOps plans. They cover app governance, license analysis, and user context.

View core permissions table

Permission	Type	Purpose	What It Reads
Application.Read.All	Delegated	App governance	App registrations, service principals, credentials, owners
Directory.Read.All	Delegated	User & group data	Users, groups, org info for ownership and license context
AuditLog.Read.All	Delegated	Activity signals	Sign-in logs for inactivity detection (license waste)
User.Read	Delegated	Authentication	Signed-in user's profile

Device permissions (Pro plan)

These additional permissions are requested when you enable device governance on the Pro plan. They provide visibility into your Intune managed device fleet.

View device permissions table

Permission	Type	Purpose	What It Reads
DeviceManagementManagedDevices.Read.All	Delegated	Device inventory	Intune managed devices, hardware info, enrollment status
DeviceManagementConfiguration.Read.All	Delegated	Compliance policies	Device compliance state and configuration profiles
Policy.Read.All	Delegated	Conditional Access	CA policy evaluation, named locations, auth strength
DeviceManagementApps.Read.All	Delegated	App deployment	Deployed apps on devices, installation status

Why read-only matters

Permission-level enforcement

Every permission listed above ends in .Read or .Read.All. Microsoft enforces these scopes at the API level. Even if there were a bug in IdentityOps that attempted a write operation — creating an app, modifying a user, deleting a device — Microsoft would reject the request with a 403 Forbidden error. This is not a policy we set; it is a constraint enforced by the Microsoft identity platform itself.

This design means IdentityOps is structurally incapable of modifying your tenant, regardless of what happens in our code. Read-only is not just a promise — it is an architectural guarantee enforced by Microsoft.

How to revoke access

You can revoke IdentityOps access at any time. No support ticket, no waiting period.

Open the Entra Admin Center

Navigate to entra.microsoft.com and sign in with your admin account.

Go to Enterprise Applications

In the left sidebar, expand Applications and select Enterprise Applications.

Find IdentityOps

Search for "IdentityOps" in the application list. Click on it to open its properties.

Delete the application

Click Delete (or Properties → Delete). This immediately revokes all permissions and stops all API access.

Where teams usually go next

→ Connect your Entra tenant → Run your first scan → See the full security model in the Trust Center