nOps requires safe, secure, and Azure-approved access to your accounts in order to give you the analysis, dashboards, and reports that you need. We only see what we need, no more, and we need you to give us the permission first.
Required Role
To complete the nOps Azure setup, the user must possess one of the following roles to create and manage the nOps application registration:
Admin or Global Admin role.
Application Administrator or Application Developer role.
An Application Administrator can create and manage all aspects of app registrations and enterprise apps.
An Application Developer can create application registrations independent of the 'Users can register applications' setting.
Application Administrator or Application Developer, either one is sufficient for the nOps application registration.
Type? What? and Why?
The following tables describe each permission that nOps requires:
Permission name.
Permission Type:
Application permissions allow an application in Azure Active Directory to act as its own entity, rather than on behalf of a specific user.
Delegated permissions allow an application in Azure Active Directory to perform actions on behalf of a particular user.
What the permission is?
Why the permission is important for nOps?
Permissions - Azure Service Management | Permission Type | What | Why |
user_impersonation | Delegated | Allows the application to access the Azure Management Service API acting as users in the organization. | Limited permission of user_impersonation is needed for authentication flow to work with the Azure Management API.
|
Permissions - Microsoft Graph | Permission Type | What | Why |
AuditLog.Read.All | Application | Allows the app to read and query your audit log activities, without a signed-in user. | Anticipated for future use. No current usage. |
Directory.Read.All
| Application | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. | Default permission attached to the tenant. Required for detecting various compliance issues related to users and groups through nOps. |
Reports.Read.All
| Application | Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. | Permission mostly required for accessing billing information which is one of the main nOps functionalities. Also enables nOps to fetch usage reports of services like credentialUserRegistrationDetails (detects compliance issues like registration, authentication methods, MFA and others) |
User.Read | Delegated | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | This grants permission to read the profile of the signed-in user which is simply accessing information using the client_id and client_secret linked to nOps. |