Permissions & Security

Last updated: March 2026

All permissions are read-only and delegated. ButWhy.Cloud cannot create, modify, or delete anything in your tenant. Every permission below is used solely to read configuration data for security assessment purposes.

How Access Works

When you click "Run Free Security Scan", you are redirected to Microsoft's standard OAuth 2.0 consent screen. You authenticate with your own Microsoft credentials and choose whether to grant consent. If you consent, Microsoft issues a short-lived access token scoped to your tenant. Our scanner uses that token to run the checks, then the token expires. We never see your password.

The consent grant itself persists in your tenant under Entra ID → Enterprise Applications until you remove it. The access token is never stored — it is used in memory during the scan only.

Revoking Access

To remove ButWhy.Cloud from your tenant at any time: go to Entra ID → Enterprise Applications, search for ButWhy.Cloud, and click Delete. This immediately revokes all future access. It does not affect any report already generated.

Microsoft Identity Platform (1)

This scope is automatically included by Microsoft for all delegated OAuth flows and cannot be omitted.

offline_access

You will see this listed on Microsoft’s consent screen as “Maintain access to data you have given it access to”. Microsoft’s description is generic and can be alarming — here is what it actually means for ButWhy.Cloud.

This scope allows our scanner to refresh your access token during the scan without requiring you to stay on the page. Because a full scan takes 20–30 minutes and runs in the background, the token needs to remain valid for the duration. Without this scope the token would expire mid-scan and the scan would fail.

It does not grant access to any additional data beyond what the other permissions cover. We still discard the token immediately when the scan finishes, and it expires automatically after one hour regardless.

Azure Service Management (1)

user_impersonation

Allows calling Azure Resource Manager (ARM) APIs as the signed-in user — with the same permissions that user already has in Azure. Used to read Azure subscription resources including VMs, storage accounts, NSGs, Key Vaults, SQL servers, and Defender for Cloud settings. We can only see what you can see — this permission grants no additional access beyond your own Azure RBAC role.

Microsoft Graph Permissions (16)

All Graph permissions are Delegated — they operate in the context of the consenting user, not as a background service principal with standing access.

Directory.Read.All

Reads Entra ID directory objects including users, groups, service principals, and app registrations. Used to check admin counts, guest users, app registrations with expiring secrets, and service principal configurations.

Policy.Read.All

Reads Conditional Access policies, authentication methods policy, and tenant-wide security policies. Used to assess MFA enforcement, legacy authentication blocking, and Conditional Access coverage gaps.

UserAuthenticationMethod.Read.All

Reads the authentication methods registered by users (e.g. whether MFA is configured). Used to identify users without MFA registered and assess authentication strength.

RoleManagement.Read.Directory

Reads Entra ID role assignments. Used to check Global Administrator counts, privileged role assignments, and whether PIM (Privileged Identity Management) is in use.

AuditLog.Read.All

Reads sign-in and audit logs. Used to detect risky sign-in patterns, legacy authentication usage, and review recent privileged actions.

Reports.Read.All

Reads Microsoft 365 usage and security reports. Used to assess MFA registration rates across the tenant and identify users who have not completed MFA setup.

SecurityEvents.Read.All

Reads security alerts and events from Microsoft Defender and other integrated security products. Used to check for active security alerts and Defender configuration status.

SecurityActions.Read.All

Reads available and completed security actions. Used to assess Secure Score improvement actions and their current status.

User.Read.All

Reads full profile data for all users. Used alongside Directory.Read.All to assess user configurations such as external/guest accounts, per-user MFA state, and account status.

DeviceManagementConfiguration.Read.All

Reads Intune device configuration profiles and policies. Used to check BitLocker enforcement, Windows Hello, device compliance policy existence, and configuration baselines.

DeviceManagementManagedDevices.Read.All

Reads the list of devices enrolled in Intune and their compliance status. Used to identify non-compliant devices and assess enrolment coverage.

DeviceManagementApps.Read.All

Reads Intune app protection and app configuration policies. Used to check mobile application management (MAM) policies and app protection policy coverage.

DeviceManagementServiceConfig.Read.All

Reads Intune service-level configuration including enrolment restrictions and terms and conditions. Used to assess enrolment policies and device management configuration.

Mail.ReadBasic

Reads basic mail properties (subject, sender, recipient) but not message body or attachments. Used to verify email security configurations such as external forwarding rules.

Mail.ReadBasic.Shared

Same as Mail.ReadBasic but also covers shared mailboxes. Used to check forwarding rules on shared mailboxes that could be used for data exfiltration.

User.Read

Reads the signed-in user's basic profile. Required by Microsoft for all delegated OAuth flows — used to identify the consenting user and their tenant.

What We Cannot Do

None of these permissions allow us to:

Create, modify, or delete users, groups, policies, or resources.
Read email message bodies or attachments.
Access files in SharePoint or OneDrive.
Send email on your behalf.
Access Teams messages or chat history.
Perform any write operation in your tenant or Azure subscription.

Questions

If you have questions about any permission or want to discuss the security model before scanning, email hello@butwhy.cloud.