Microsoft Office 365 Subscription

[trondeau]

Hi,

Looking to set this up in Nagiosxi, but getting push back from our security teams. Trying to understand the Group.Read.All requirement.

https://support.nagios.com/kb/article/m ... s-881.html

From Them:

We have no issue with:
Directory.Read.All
Reports.Read.All
User.Read.All

This one is the one that is giving us heartache:

Group.Read.All

This allows Nagios to read all content for any Group in the company. This seems exceptionally wide for a monitoring tool, and we need to know why it requires this permission.

[ssax]

The assumption is that you don't need them all but only for certain checks, given the help output of the plugin shows these options:

Code: Select all

Available Tests

mailactivitybyuser
mailusagebyuser
mailboxusage
o365activationsbyuser
o365activationsbyproduct
o365productusage
o365serviceusage
o365groupsactivitybygroup
o365groupsfileactivity
time2token
time2connect

You likely only need the Group permissions if you want to check these:

Code: Select all

o365groupsactivitybygroup
o365groupsfileactivity

Here's what they show for me in Azure:

Directory.Read.All: Read directory data - Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.

Reports.Read.All: Read all usage reports - Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory

User.Read.All: Read all users' full profiles - Allows the app to read user profiles without a signed in user.

Group.Read.All: Read all groups - Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.

https://docs.microsoft.com/en-us/graph/ ... steredApps