Understand Permission Requirements
- 13 Jun 2025
- 8 Minutes to read
- PDF
Understand Permission Requirements
- Updated on 13 Jun 2025
- 8 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Red Canary requires certain permissions to integrate with Microsoft security tools. This article leads you through what kind of permissions Red Canary has access to once you grant us permission to your Microsoft tools.
Microsoft Defender for Endpoint
Red Canary requires permissions to access Defender for Endpoint data using the Defender for Endpoint API.
Defender for Endpoint API Permissions
Permission | Purpose | Justification |
|---|---|---|
AdvancedQuery.Read.All | Allows an app to run advanced queries. | Red Canary uses this permission to run advanced hunting queries that proactively find threats, investigate activities, and understand complex attacks. |
Alert.Read.All | Allows an app to read any alert. | Red Canary uses this permission to ingest and analyze all security alerts from Defender for Endpoint to identify, validate, and prioritize threats for investigation. |
Alert.ReadWrite.All | Allows an app to create or update any alert. | Red Canary uses this permission to update Defender for Endpoint alert statuses and details during our investigation and response. |
Event.Write | Allows an app to create events in the machine timeline. | Red Canary uses this permission to add contextual events or annotations to machine timelines, such as our own actions or observations during an investigation. |
File.Read.All | Allows an app to read all file profiles. | Red Canary uses this permission to retrieve detailed file information from endpoints to investigate suspicious files and understand their potential impact. |
Ip.Read.All | Allows an app to read all IP address profiles. | Red Canary uses this permission to investigate suspicious network connections and correlate them with our threat intelligence. |
Machine.CollectForensics | Allows an app to collect forensics from a machine. | Red Canary uses this permission to collect in-depth forensic data from machines, to use during incident response or threat investigations. |
Machine.Isolate | Allows an app to isolate any device that runs the Defender for Endpoint sensor. | Red Canary uses this permission to contain active threats on a single machine. |
Machine.Offboard | Allows an app to offboard a machine from the service. | Red Canary uses this permission to manage endpoint lifecycles by offboarding machines, such as during device decommissioning or when a customer transitions to a different solution. |
Machine.Read.All | Allows an app to read all machine profiles, including the commands that were sent to each machine. | Red Canary uses this permission to retrieve machine information such as posture, health, activity, to be used as context for our investigations. |
Machine.ReadWrite.All | Allows an app to create machine records and to read or update any machine record. | Red Canary uses this permission to update machine records in Defender for Endpoint, like applying tags for grouping or classification, to be used as device context for our investigations. |
Machine.RestrictExecution | Allows an app to restrict code execution on a machine according to policy. | Red Canary uses this permission to restrict unapproved or malicious code execution on compromised machines, based on customer policies, as a critical response action to prevent harm. |
Machine.Scan | Allows an app to scan a machine. | Red Canary uses this permission to initiate antivirus scans on machines to detect and identify malware. |
Machine.StopAndQuarantine | Allows an app to stop a file running on a machine and to quarantine that file. | Red Canary uses this permission to stop malicious processes and quarantine associated files on endpoints to neutralize active threats. |
Score.Read.All | Allows an app to read any Threat and Vulnerability Management score. | Red Canary uses this permission to access Threat and Vulnerability Management scores for devices to evaluate their security status and contextualize our alerts and investigations. |
SecurityConfiguration.Read.All | Allows an app to read all security configurations. | Red Canary uses this permission to retrieve endpoint security configuration details to understand their baseline posture, identify misconfigurations, and provide context for our investigations. |
SecurityRecommendation.Read.All | Allows an app to read any Threat and Vulnerability Management security recommendation. | Red Canary uses this permission to access Threat and Vulnerability Management security recommendations to understand weaknesses and provide customers with actionable advice. |
Software.Read.All | Allows an app to read any Threat and Vulnerability Management software information. | Red Canary uses this permission to retrieve endpoint software information (versions, vulnerabilities, etc.) to assess risks, provide context for our alerts, and support vulnerability management discussions. |
Ti.Read.All | Allows an app to read all IOCs. | Red Canary uses this permission to read all existing IOCs in the customer's Defender instance to understand the threat landscape and ensure our actions complement existing configurations. |
Ti.ReadWrite | Allows an app to create IOCs and to read or update IOCs it created. | Red Canary uses this permission to create and manage our own set of IOCs in Defender for Endpoint based on our threat intelligence and investigation findings, for threat blocking and detection. |
Ti.ReadWrite.All | Allows an app to manage all IOCs of the tenant. | Red Canary uses this permission to manage the full lifecycle of all IOCs in the customer's Defender tenant, allowing us to add our threat intelligence and help maintain IOC list hygiene. |
Url.Read.All | Allows an app to read all URL profiles. | Red Canary uses this permission to retrieve URL access information from endpoints to investigate suspicious web activity. |
User.Read.All | Allows an app to read all user profiles. | Red Canary uses this permission to access user data, which can be helpful in knowing what internal organization/department and its corresponding data may be impacted by an incident. |
Vulnerability.Read.All | Allows an app to read any Threat and Vulnerability Management vulnerability information. | Red Canary uses this permission to access detailed endpoint vulnerability information from Threat and Vulnerability Management, to assess their potential impact and provide targeted recommendations or context for our security alerts. |
Microsoft Defender Portal
The required permissions for Defender Portal differ based on which Red Canary service you use: Managed Detection and Response (MDR), or Managed Detection and Response + Active Remediation.
Defender for Endpoint Permissions
Red Canary Product | Permission | Description | Justification |
|---|---|---|---|
Managed Detection and Response | Defender for Endpoint: View Data (Security Operations) | Allows access to view:
| Red Canary uses this permission to view alert data and perform advanced hunting queries in Defender for Endpoint. |
Defender for Endpoint: View Data (Threat and Vulnerability Management) | Allows access to view Defender for Endpoint Vulnerability Management data in the Microsoft Defender portal. | Red Canary uses this permission to view Threat and Vulnerability Management status in Defender for Endpoint, to better assess the risk of threats. | |
Managed Detection and Response + Active Remediation | Defender for Endpoint: View Data (Security Operations) | Allows access to view:
| Red Canary uses this permission to view alert data or perform advanced hunting queries in Defender for Endpoint. |
Defender for Endpoint: View Data (Threat and Vulnerability Management) | Allows access to view Defender for Endpoint Vulnerability Management data in the Microsoft Defender portal. | Red Canary uses this permission to view the Threat and Vulnerability Management status, to better assess risk of threats. | |
Defender for Endpoint: Active Remediation Actions (Security Operations) | Allows access to:
| Red Canary uses this permission to actively neutralize threats and protect customer environments by taking direct remediation actions on endpoints, managing automated responses, and controlling security indicators. | |
Defender for Endpoint: Alerts Investigations | Allows access to:
| Red Canary uses this permission to analyze alerts within Defender for Endpoint. | |
Defender for Endpoint: Live Response (Advanced) | Allows access to:
| Red Canary uses this permission to use the Live Response functionality in Defender for Endpoint to perform remediation actions. |
Entra ID
The Entra ID Security Role enables Red Canary to read alert data for all of the Microsoft Defender XDR products (except Defender for Endpoint data) in the Defender portal. The permission depends on which Red Canary service you use: Managed Detection and Response (MDR), or Managed Detection and Response + Active Remediation.
Entra ID Security Role Permissions
Red Canary Product | Permission | Description | Justification |
|---|---|---|---|
Managed Detection and Response | Security Reader | Allows access to read security information in Entra ID and Microsoft Defender XDR. To learn more, see Security Reader. | Red Canary uses this permission to view Microsoft Defender data (non-Defender for Endpoint such as MDI, MDO, etc.) in the Defender Console. |
Managed Detection and Response + Active Remediation | Security Administrator | Allows access to read security information and manage security configuration in Entra ID and Microsoft Defender XDR. To learn more, see Security Admin. | Red Canary uses this permission to take remediation actions in Defender For Identity and Defender for Office 365. |
Microsoft Office 365
Red Canary ingests Exchange Online events from Office 365, which are stored in the Unified Audit Log within Microsoft Purview. Red Canary uses the Office 365 Management Activity API to programmatically read Exchange Online events from the Unified Audit Log.
Office 365 Management Activity API Permissions
Permission | Description | Justification |
|---|---|---|
ActivityFeed.Read | Allows an app to read activity data for your organization. | Red Canary uses this permission to detect suspicious activity and get context on an incident. |
ActivityFeed.ReadDlp | Allows an app to read Data Loss Prevention (DLP) policy events for your organization, including detected sensitive data. | Red Canary uses this permission to monitor for DLP policy violations and investigate incidents, and proactively find anomalies. |
User.Read.All | Allows access to the number of users. | Red Canary uses this permission to read the number of users for licensing purposes. |
Microsoft Graph API
Red Canary utilizes the Microsoft Graph API to add comments to alerts from various Microsoft security services.
Microsoft Graph API Permissions
Permission | Description | Justification |
|---|---|---|
SecurityAlert.ReadWrite.All | Allows an app to read security events and update editable properties in those events across your organization without a signed-in user. | Red Canary uses this permission to query and update security alert data in your organization, such as leaving comments and state sync features. |
SecurityIncident.ReadWrite.All | Allows an app to list and retrieve incidents, and update incident details as needed. | Red Canary uses this permission to query and update security incident data in your organization. |
ThreatHunting.Read.All | Allows an app to retrieve additional context from Threat Hunting queries. | Red Canary uses this permission to to perform Advanced Hunting queries for additional context during investigations of alerts. |
User.Read.All | Allows an app read-only access to user data across the entire tenant. | This permission is implicit and included due to the other required permissions. It allows an app to be granted access via Admin Consent by a Global Administrator. |
Azure Active Directory Graph API Permissions
The Azure AD Graph API is a legacy API and will retire soon. Microsoft recommends migrating your apps to Graph API.
Permission | Purpose | Justification |
|---|---|---|
Application.ReadWrite.OwnedBy | Allows an app to create other applications, and fully manage those applications (read, update, update application secrets, and delete), without a signed-in user. It cannot update any apps that it is not an owner of. | Red Canary uses this permission to manage the lifecycle of an app it creates in your Azure AD tenant. Should you ever move on from Red Canary, this permission allows us to delete an app. |
Was this article helpful?