Application Registration Reference: Enforce365 default READ permissions Important: Role: Global Reader The Application Registration can only be used by Enforce365 using an individual tenant certificate protected by a random 32bit highly complex password. Both certificate and password are encrypted in the Enforce365 database for the specific tenant. No users have access to this app reg directly. Application.ReadWrite.All: This permission is used to grant rights to itself. The Application Registration cannot use these permissions until they have been consented to by a Global Admin. RoleManagement.ReadWrite.Directory: The permission is used to add roles to the Application Registration itself. Without this permission – which is NOT used without customer consent – we cannot provide additional services without full Offboard and re-Onboard of Application Registration (see next chapter). Sites.FullControl.All: Required for reporting on SharePoint tenant configuration – There are no permissions available from Microsoft at present time with reduced access. The permission is NOT used to access any site content. Exchange.ManageAsApp: Required to report on Exchange and Purview – There are no permissions available from Microsoft to enable reporting on Exchange using an Application Registration. The permission is NOT used to access any mailbox content.
