Assigning Directory and Audit Permissions for Discovery and Visibility

Prev Next

Perform the following steps to assign directory permissions for the Britive application created in Azure:

  1. Log in to Azure with administrator privileges. 
  2. Select Microsoft Entra ID
  3. Select App registrations from the navigation menu. 
  4. Select the "Britive" application (that is, the application created in the previous step Registering Britive application in Microsoft Entra ID).
  5. Click API permissions from the navigation menu. 
  6. Click + Add a permission
  7. Select Microsoft Graph. 
  8. Select Application permissions
  9. Search and click on Directory and select the permission "Directory.Read.All".
  10. Search and click on Audit and select the permission "AuditLog.Read.All".
  11. Click the Add permissions button. 
  12. Ensure that the option Grant admin consent for Default Directory is checked.
  13. Select Yes on the warning displayed, whether to grant consent for the required permissions for all accounts in the Default Directory. A message is displayed that admin consent has been granted successfully for the requested permission (in this case, Directory.Read.All and AuditLog.Read.All) for all accounts in the default directory. The Directory.Read.All permission reads AD-level roles, AD Users, and AD groups in the Azure application. The AuditLog.Read.All permission, along with a Microsoft Entra ID Premium P1/P2 license, is needed to read the last sign-in date of AD Users in the Azure application. The last sign-in date of the user is not returned who has never signed in or last signed in before April 2020.