Incident response automation (SOAR) relies on a delicate balance: giving third-party software the ability to act on your cloud infrastructure to block cyberattacks, while scrupulously respecting the principles of a security architectureZero Trust. In Microsoft's cloud ecosystem, this access governance revolves around a central pillar: the Microsoft Graph API.
To securely connect a SOC orchestrator, granting permanent Global Administrator privileges is out of the question. You must apply the principle of least privilege by selecting granular permissions. Here is the complete guide to the essential permissions to automate your security remediation with complete peace of mind.
The importance of granularity in supply chain attacks
Historically, to interconnect a security tool with the Azure or Microsoft 365 cloud, administrators created a service account with the roleGlobal Administrator. This practice is a major vulnerability: if the third-party security platform is compromised, the attacker inherits full powers over your Microsoft tenant.
Modern integration (like Akuity SOC) uses applications registered in Microsoft Entra ID with specific API permissions (Application Permissions). Access rights are defined surgically. The tool can only execute explicitly authorized API calls, making the infrastructure resilient to Supply Chain Attacks.
The 4 pillars of Microsoft Graph permissions for SOC
To cover the entire life cycle of cyber remediation (manage identity, isolate the terminal, sanitize messaging), a SOAR orchestrator relies on four categories of major permissions:
1. Security posture management (Audit and Posture)
Before acting, the SOC must collect security metrics to feed its decision-making dashboards.
- Permission:
SecurityEvents.Read.All - For what ? :It allows the orchestrator to connect to the Microsoft 365 Defender unified alert flow to read incident metadata. It is also this permission that allows you to automatically retrieve theMicrosoft Secure Scoreof the tenant to display the color indicators (Green, Orange, Red) within tenant management.
2. Control and containment of identities (Entra ID)
Faced with session token theft (Token Theft) or a brute force attack, SOAR must be able to lock the compromised user account.
- Permissions:
User.ReadWrite.AllOrDirectory.ReadWrite.All - For what ? :These essential rights allow you to execute the critical command
revokeSignInSessionsto force the immediate disconnection of the user on all their terminals. They also authorize the actionresetUserPassword: generate a strong temporary password displayed securely in a persistent modal and force it to be changed on the next login. Finally, they allow the user to be declared compromised (confirmUserCompromised) in Entra ID Protection to trigger Conditional Access.
3. Remediation on endpoints (Microsoft Intune)
In the event of a malware or ransomware infection, SOAR must act at the machine's file system and network level.
- Permission:
DeviceManagementManagedDevices.ReadWrite.All - For what ? :This authorization allows the platform to list devices (Windows, macOS, servers) managed by Intune and Defender for Endpoint to identify non-compliant machines or machines subject to threats. It is this right which authorizes the sending of the emergency network containment command (
isolateDevice) via call/microsoft.graph.isolate, as well as remote triggering of aQuick Antivirus ScanWindows Defender.
4. Messaging sanitation and network blocking
To stop the spread of email attacks or block external attack infrastructures (Command & Control).
- Permission:
SecurityActions.ReadWrite.All - For what ? :Essential to lead theglobal mail purge (soft-delete)via endpoint
/beta/security/remediationsby targeting thenetworkMessageId. It also allows you to interact with the native Microsoft Defender for Endpoint API (/api/indicators) to inject IOCs blocking indicators (IP, Domains or SHA256 Hashes) with a strict validity of 90 days to automatically protect your entire fleet.
Reinforced security at the hardware level (PostgreSQL RLS)
Granting these permissions to a multi-tenant tool requires guaranteeing that no client can execute a command on another client's tenant.
In Akuity SOC, this absolute tightness is ensured directly by the PostgreSQL database engine via the mechanismRow-Level Security (RLS). Each API call attempt is validated by specific performance indexes (idxtenantsworkspace,idxprofilsworkspace), ensuring that an analyst cannot request Microsoft Graph permissionsthatfor the exact perimeter of their workspace, after having validated their identity by their MFA code (AAL2 session).
Conclusion: Automation with Confidence
Scrupulously respecting the principle of least privilege via Microsoft Graph permissions allows you to deploy a powerful SOAR strategy without creating architectural flaws in your cloud. This is the key to mature cyber governance that meets the requirements of the strictest standards.
Secure your cyber automations with Zero Trust architecture.> Find out how ourAgentless Microsoft Security SOAR Orchestratorimplements API privilege management best practices.