What access does Office Protect have to my tenant?

If you are as concerned about your data security as we are, then you may be wondering just how much access to your Microsoft 365 tenant you are giving to Office Protect.

Do I need to give Office Protect my tenant's global admin? Isn’t it unsafe?

You do not give Office Protect your global admin password: our authorization process is there so that you do not have to. Instead of asking you to authorize Office Protect to access Microsoft 365 using an existing Microsoft 365 global administrator, in the first configuration step we create a service principal in your tenant that will allow Office Protect to access your Microsoft services.

If you did not buy Microsoft 365 through Sherweb:

Once you have clicked 'PROCEED' during the authorization steps, we redirect you to a Microsoft page to verify your identity. Once authenticated, you will have the opportunity to review the permissions Office Protect requires to operate (see list below). This process follows security best practices.

What information does Office Protect store?

We retain your tenant’s name/domain. Once you have authorized us, we will use a security token issued by Microsoft to interact with your tenant. We do not store your tenant admin or password. In fact, we never have access to them.

What about logs?

We retain the events we received from Microsoft 365 for 24 hours.

We also store the Office Protect events indefinitely, for now, but that retention period may be shortened in the future.

Once I authorize the service, what prevents Office Protect from taking unwanted action on my tenant?

Before receiving permission to ask you to authorize our application to interact with your tenant, we had to register with Microsoft as a company. If we were to do anything "bad" to our clients, we would quickly be banned by Microsoft and would no longer be able to operate. Our product is based on trust. We invite you to contact Microsoft if anything we do is not to the highest standards.

Is it permanent? Can I revoke access?

It is not permanent: you can remove our access to your tenant at any time.

What about GDPR?

Office Protect is fully compliant with the rules pertaining to GDPR.

If you have any questions, please browse our other FAQs, or contact us directly at [email protected].

Required Permissions

Office Protect requires the appropriate permissions to function properly on your tenant. The following permissions enable Office Protect to:

Monitor and manage security settings in Entra ID, Teams, Exchange, SharePoint, OneDrive
Read all configurations to provide security reports, dashboards and alerting
Retrieve logs to monitor the tenant’s activity
Manage the Office Protect application
Enable remediation actions in response to security events

Microsoft Graph - Delegated permissions:

openid: Sign users in.
Application.ReadWrite.All: Read and write all applications.
AppRoleAssignment.ReadWrite.All: Manage app permission grants and app role assignments.
Directory.ReadWrite All: Read and write directory data.
profile: View users' basic profile.
RoleManagement.ReadWrite.Directory: Read and write directory RBAC settings.
offline access: Maintain access to data you have given it access to.
User.ReadWrite.All: Read and write all users' full profiles.
Directory.AccessAsUser.All: Access directory as the signed in user.
UserAuthenticationMethod.ReadWrite.All: Read and write all users' authentication methods.

Microsoft Graph - Application permissions:

TeamSettings.ReadWrite.All: Read and change all teams' settings.
Policy.ReadWrite.ConditionalAccess: Read and write your organization's conditional access policies.
Policy.ReadWrite AuthenticationMethod: Read and write all authentication method policies.
SharePoint TenantSettings.ReadWrite.All: Read and change SharePoint and OneDrive tenant settings
User.ReadWrite.All: Read and write all users' full profiles.
Domain.ReadWrite.All: Read and write domains.
ReportSettings.ReadWrite.All: Read and write all admin report settings.
SecurityEvents.Read.All: Read your organization's security events.
UserAuthenticationMethod.ReadWrite.All: Read and write all users' authentication methods.
AppCatalog.ReadWrite.All: Read and write to all app catalogs.
Application.ReadWrite.All: Read and write all applications.
Directory.ReadWrite.All: Read and write directory data.
Sites.ReadWrite.All: Read and write items in all site collections.
Group.ReadWrite.All: Read and write all groups.
TeamsAppInstallation.ReadWriteForUser.All: Manage Teams apps for all users.
Files.Read.All: Read files in all site collections.
AppRoleAssignment.ReadWrite.All: Manage app permission grants and app role assignments.
TeamsAppInstallation.ReadWriteForTeam.All: Manage Teams apps for all teams.
Chat.ReadWrite.All: Read and write all chat messages.
MailboxSettings.ReadWrite: Read and write all user mailbox settings.
RoleManagement.ReadWrite.Directory: Read and write all directory RBAC settings.
AuditLog.Read.All: Read all audit log data.
Policy.Read.All: Read your organization's policies.
TeamsAppInstallation.ReadWriteForChat.All: Manage Teams apps for all chats.
Policy.ReadWrite.Authorization: Read and write your organization's authorization policy.
Reports.Read.All: Read all usage reports.

Office 365 Exchange Online - Application Permissions:

Exchange.ManageAsApp: Manage Exchange As Application.

Office 365 Management APIs - Application Permissions:

ActivityFeed.ReadDip: Read DLP policy events including detected sensitive data.
ServiceHealth.Read: Read service health information for your organization.
ActivityFeed.Read: Read activity data for your organization.

Office 365 SharePoint Online - Application Permissions:

Sites.FullControl.All: Have full control of all site collections.

In line with the least-privilege principle, Office Protect only requests the permissions it genuinely needs. These permissions will not be used for any hidden or malicious activities.

You can review and manage all Office Protect permissions from your Microsoft Entra ID (Identity) admin portal: Applications > Enterprise applications > Office Protect > Permissions.

Helpdesk