Overview
When you connect Incydr to Microsoft OneDrive, you grant certain permissions to Incydr in your Microsoft environment. This article lists the permissions Incydr requires as well as what those permissions allow Incydr to do in your Microsoft environment.
OneDrive permissions
Incydr collects file events from OneDrive. A file event is any activity observed for a file. For example, creating, modifying, sharing, renaming, moving, or deleting a file generates an event for that file. To see this file activity, Incydr requires access to your OneDrive environment. The OneDrive permissions we request are:
- Directory.Read.All: Required to identify in-scope users and group membership.
- Files.Read.All: Required to request additional file metadata, stream a file for hashing, and to determine a file’s category when analyzing file activity.
- Files.ReadWrite.All: Required to grant temporary access to view a file and to view and manage sharing permissions.
- ActivityFeed.Read: Required to read audit events from the Office 365 Management Activity API.
- Sites.ReadWrite.All: Required for preventative controls to disable sharing for a user.
The Incydr data connection uses the Files.ReadWrite.All permission to allow security analysts to:
- Temporarily view cloud storage files in an investigation
- View a cloud storage file's sharing permissions to assess risk when a file is shared either publicly or with untrusted users
External resources
Microsoft documentation: Microsoft Graph permissions reference
Comments
0 comments
Please sign in to leave a comment.