Home > Microsoft > Configure App Profiles or Service Account Profiles > Configure App Profiles for Default Service Apps > Insights
Export to PDFInsights
Instructions….
Refer to the following sections to see the API permissions that should be accepted when you give consent to the corresponding apps.
Insights for Microsoft 365
When you create the Insights for Microsoft 365 app profile in AvePoint Online Services, the AvePoint Insights for Microsoft365 app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize the AvePoint Insights for Microsoft365 app.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph (15) | User.ReadWrite.All(Read and write all users' full profiles) | Application | Retrieve and display the user photo and metadata.Allow users to remove or block external users. |
| Microsoft Graph (15) | ChannelSettings.Read.All(Read the names, descriptions, and settings of all channels) | Application | Retrieve channel information in Teams. |
| Microsoft Graph (15) | IdentityRiskyUser.ReadWrite.All(Read and write all risky user information) | Application | Retrieve risky user information. |
| Microsoft Graph (15) | Sites.Read.All(Read items in all site collections) | Application | Search for sensitivity data. |
| Microsoft Graph (15) | Group.ReadWrite.All(Read and write all groups) | Application | Retrieve AD group member information.Allow users to add or remove owners for Teams/Microsoft 365 Groups. |
| Microsoft Graph (15) | Directory.Read.All(Read directory data) | Application | Retrieve AD group/user information for permissions. |
| Microsoft Graph (15) | TeamMember.ReadWrite.All(Add and remove members from teams) | Application | Retrieve and manage members in your Teams. |
| Microsoft Graph (15) | Files.Read.All(Read files in all site collections) | Application | Retrieve URLs of channels in Teams. |
| Microsoft Graph (15) | TeamSettings.Read.All(Read all teams' settings) | Application | Retrieve information of teams. |
| Microsoft Graph (15) | InformationProtectionPolicy.Read.All(Read all published labels and label policies for an organization.) | Application | Retrieve sensitivity labels from Microsoft 365. |
| Microsoft Graph (15) | ChannelMember.ReadWrite.All(Add and remove members from all channels) | Application | Retrieve private channel members. Allow users to add or remove owners for private channels. |
| Microsoft Graph (15) | IdentityRiskEvent.Read.All(Read all identity risk event information) | Application | Retrieve risky event information. |
| Microsoft Graph (15) | AuditLog.Read.All(Read all audit log data) | Application | Retrieve the last sign-in time of external users. |
| Microsoft Graph (15) | Reports.Read.All(Read all usage reports) | Application | Retrieve data for usage reports. |
| Microsoft Graph (15) | Group.ReadWrite.All(Read and write all groups) | Delegated | Apply sensitivity labels to Microsoft 365 Groups and Microsoft Teams. |
| Microsoft Information Protection Sync Service (1) | UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant) | Application | Retrieve sensitivity label information configured in the tenant from Microsoft 365. |
| Microsoft Rights Management Services (2)*Note: Make sure your organization has a subscription (or service principal) for the Azure Rights Management Services API. | Content.Writer(Create protected content) | Application | Allow users to encrypt the files. |
| Microsoft Rights Management Services (2)*Note: Make sure your organization has a subscription (or service principal) for the Azure Rights Management Services API. | Content.SuperUser(Read all protected content for this tenant) | Application | Read the protected content of encrypted files. |
| Office 365 Exchange Online (1) | Exchange.ManageAsApp(Manage Exchange As Application)*Note: The app must have the Compliance Administrator role. For details, refer to Appendix G: How to Assign a Role to App?. | Application | Automatically sync Microsoft 365 sensitive info types either through a daily sync job or by clicking Automatically sync when adding conditions in a sensitivity definition. |
| Office 365 Management APIs (1) | ActivityFeed.Read (Read activity data for your organization) | Application | Retrieve activity data in your organization. |
| Office 365 SharePoint Online (2) | User.Read.All(Read user profiles) | Application | Retrieve user profiles for OneDrive that are scanned by AvePoint Online Services. |
| Office 365 SharePoint Online (2) | Sites.FullControl.All (Have full control of all site collections) | Application | Retrieve information of SharePoint Online site collections that are scanned by Insights. |
*Note: Consent from a Microsoft 365 Global Administrator or a Privileged Role Administrator is required when creating the Insights for Microsoft 365 app profile and must be retained. However, the consent can be revoked if you only use the delegated permissions to manage sensitivity labels for Teams and Microsoft 365 Groups. The authentication user must have at least the Groups Administrator role.
Insights for Power Platform
When you create the Insights forPower Platform app profile in AvePoint Online Services, the AvePoint Insights forPower Platform app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize the AvePoint Insights for Power Platform app.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph (4) | Group.Read.All(Read all groups) | Application | Retrieve information about groups in your organization. |
| Microsoft Graph (4) | Directory.Read.All(Read directory data) | Application | Retrieve data from your organization’s directory. |
| Microsoft Graph (4) | User.Read.All(Read all users’ full profiles) | Application | Retrieve information of Power BI users. |
| Microsoft Graph (4) | AuditLog.Read.All(Read all audit log data) | Application | Retrieve the last sign-in time of external users. |
| Microsoft Information Protection Sync Service (1) | UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant) | Application | Retrieve sensitivity label information configured in the tenant from Microsoft 365. |
| Office 365 Management APIs (1) | ActivityFeed.Read (Read activity data for your organization) | Application | Retrieve activity data in your organization. |
| Power BI Service (2) | Tenant.Read.All(View all content in tenant) | Delegated | Retrieve information of Power BI workspaces. |
| Power BI Service (2) | Dataset.Read.All(View all datasets) | Delegated | Retrieve datasets in Power BI workspaces. |
*Note: Consent from a Microsoft 365 Global Administrator or a Privileged Role Administrator is required when creating the Insights forPower Platform app profile and must be retained. However, the consent can be revoked if you only use the delegated permissions to manage Power BI workspaces and artifacts via Insights. The authentication user must have a Power BI Pro, Premium Per User (PPU), or Power BI (free) license, and have at least the Fabric Administrator role (the former Power BI admin role).