Permissions for Change Monitoring and Rollback in Cayosoft Guardian

Cayosoft Guardian uses an Entra application, also known as a service principal, and group Managed Service Accounts (gMSA) to access and manage your cloud and on-premises environments. When you add a tenant or managed domain, Cayosoft Guardian automatically creates the required identities and assigns the necessary permissions.

Active Directory (on-premises)

Connect to Active Directory using gMSA

gMSA provides improved security through automatic password management. Cayosoft Guardian automatically creates gMSA accounts with the appropriate permissions. Cayosoft Guardian supports two gMSA configuration modes:

• Administrative, for full change monitoring and rollback
• Read-only, for monitoring without rollback

Permissions required for initial gMSA configuration

Task	Permissions
Configure gMSA for domain partition	Domain Admin
Configure gMSA for schema partition	Schema Admin
Configure gMSA for configuration or application partitions	Enterprise Admin

gMSA with administrative permissions (Change monitoring and Rollback)

Cayosoft Guardian automatically creates a gMSA with administrative permissions for full Change monitoring and Rollback capability.

Task	Permissions	Details
Collect events	Event Log Readers	Member of the Event Log Readers group in the managed domain. For forest-wide partitions, membership is required in each forest domain.
Access domain controllers via WinRM	Remote Management Users	Member of the Remote Management Users group in the managed domain. For forest-wide partitions, membership is required in each forest domain.
Manage Entra Connect	ADSyncOperators	Member of the ADSyncOperators group in the managed domain. For forest-wide partitions, membership is required in each forest domain.
Collect changes from DirSync	Replicate Directory Changes	Grant the Replicate Directory Changes permission on the domain object in Active Directory. This allows the account to read and replicate directory changes for synchronization purposes.
Collect all attribute changes from DirSync	Replicate Directory Changes All	Grant the Replicate Directory Changes All permission on the domain object. This is required to replicate confidential and filtered attribute data.
Recover deleted objects (tombstone reanimation)	Reanimate Tombstones	Grant the Reanimate Tombstones extended right on the domain object. This allows the account to restore deleted objects during rollback.
Rollback actions in domain partition	Domain Admins	Member of the Domain Admins group in the managed domain.
Rollback actions in configuration or application partitions	Enterprise Admins	Member of the Enterprise Admins group in the managed forest.
Rollback actions in schema partition	Schema Admins	Member of the Schema Admins group in the managed domain.

gMSA with read-only permissions (monitoring only)

Cayosoft Guardian automatically creates a read-only gMSA for change monitoring without rollback capability. The read-only gMSA can also be temporarily elevated to perform rollback. This approach ensures that privileges are granted only when needed, following just-in-time elevation principles and reducing security risk.

Task	Permissions	Details
Collect events	Event Log Readers	Member of the Event Log Readers group in the managed domain. For forest-wide partitions, membership is required in each forest domain.
Access domain controllers via WinRM	Remote Management Users	Member of the Remote Management Users group in the managed domain. For forest-wide partitions, membership is required in each forest domain.
Manage Entra Connect	ADSyncOperators	Member of the ADSyncOperators group in the managed domain. For forest-wide partitions, membership is required in each forest domain.

Entra ID, Exchange Online, and Intune (cloud)

Cayosoft Guardian connects to Microsoft Entra ID, Exchange Online, and Intune through an Entra application account, also known as a service principal. This application identity allows Cayosoft Guardian to securely monitor, back up, and recover cloud configuration objects such as users, groups, policies, Exchange Online settings, and Intune devices without requiring a user account.

When you add a Microsoft 365 tenant to Cayosoft Guardian, the system automatically creates and registers this application in your Entra tenant and grants all required API permissions.

The Entra application, or service principal, is used to:

• Authenticate to Microsoft 365 by using modern OAuth 2.0 with app-only access
• Read directory configuration and activity data
• Perform rollback and recovery of Entra ID, Exchange Online, and Intune objects
• Access Microsoft Graph, Exchange Online, and management APIs on behalf of the organization

Entra directory roles

Access level	Entra directory role	Purpose
Monitoring and rollback (full)	Global Administrator	Required for full access to Entra directory changes, rollback operations, and administrative recovery.
Monitoring only (read-only)	Global Reader	Sufficient for read-only monitoring and change detection without rollback capability.

Azure RBAC roles

For a read-only Cayosoft Guardian configuration, the primary Azure RBAC role is Reader. The User Access Administrator role is used as an elevation mechanism when write operations, such as rollbacks, are required. Additionally, Cayosoft Guardian assigns the Contributor and Storage Blob Data Contributor roles at the subscription level in both modes.

Monitoring only (read-only)

Additional roles used for rollback or Azure resource operations

Entra application permissions (app-only)

These are application permissions, not delegated permissions, used for secure unattended operations that do not depend on a user's interactive session. When the Entra application is created, Cayosoft Guardian automatically requests the following permissions.

Microsoft Graph permissions

Permission name	Purpose or description
Directory.ReadWrite.All	Read and write all directory data for backup and recovery of Entra objects.
Application.ReadWrite.All	Manage application registrations and service principals for recovery.
Group.ReadWrite.All	Audit, back up, and recover Entra groups.
AuditLog.Read.All	Collect Entra ID audit events.
Policy.ReadWrite.ConditionalAccess	Back up and recover Conditional Access policies and named locations.
Policy.Read.All	Read organization policies for collection of policy and Conditional Access objects.
Policy.ReadWrite.AuthenticationFlows	Audit and recover authentication flows configuration.
Policy.ReadWrite.Authorization	Audit and recover Entra authorization settings.
Policy.ReadWrite.DeviceConfiguration	Collect and recover device configuration policies.
RoleManagement.ReadWrite.Directory	Audit and recover directory role assignments.
RoleAssignmentSchedule.ReadWrite.Directory	Audit and roll back PIM active role assignments.
RoleEligibilitySchedule.ReadWrite.Directory	Audit and roll back PIM eligibility role assignments.
Contacts.ReadWrite	Recover Entra ID contacts.
Agreement.Read.All	Audit Conditional Access dependencies, including terms of use.
UserAuthenticationMethod.ReadWrite.All	Audit and recover authentication method settings.
CrossTenantInformation.ReadBasic.All	Audit cross-tenant policy dependencies.
DeviceManagementManagedDevices.ReadWrite.All	Audit, back up, and recover Intune managed devices.
DeviceManagementConfiguration.ReadWrite.All	Audit and recover Intune configuration and compliance policies.
DeviceManagementScripts.ReadWrite.All	Audit and recover Intune PowerShell scripts and remediations.
DeviceManagementApps.ReadWrite.All	Collect Intune audit logs, manage app assignments, and recover Intune apps.
NetworkAccessPolicy.ReadWrite.All	Audit and recover Global Secure Access policies.
CustomSecAttributeDefinition.ReadWrite.All	Audit and recover custom security attribute definitions.
TeamSettings.ReadWrite.All	Audit and recover Microsoft Teams settings.
Domain.ReadWrite.All	Audit and recover custom domain configurations.
AppRoleAssignment.ReadWrite.All	Audit and recover application role assignments.
User.DeleteRestore.All	Delete and restore user accounts during rollback operations.
Mail.Send	Send notification emails.
Mail.ReadWrite	Read and write mail for notification and recovery workflows.
Synchronization.ReadWrite.All	Audit and recover directory synchronization configurations.
ProfilePhoto.Read.All	Read profile photos for backup purposes.

Exchange Online permissions

Permission name	Purpose or description
Exchange.ManageAsApp	Manage Exchange Online configuration as an application. Audits and recovers Exchange Online mailboxes, settings, and transport rules.

Office 365 Management API permissions

Permission name	Purpose or description
ActivityFeed.Read	Read activity data for your organization. Enables Unified Audit Log collection.

Delegated permissions (interactive consent)

During initial tenant setup, Cayosoft Guardian also requests delegated permissions to enable consent and configuration by the administrator. These permissions are used for the initial consent flow and for ongoing administrative operations.

Microsoft Graph delegated permissions

Permission name	Purpose or description
Directory.ReadWrite.All	Read and write directory data.
Directory.AccessAsUser.All	Access directory as the signed-in user, used for password resets during recovery.
Group.ReadWrite.All	Read and write all groups.
AuditLog.Read.All	Read audit log data.
Mail.Send.Shared	Send mail on behalf of shared mailboxes.
Mail.ReadWrite.Shared	Read and write mail in shared mailboxes.
Policy.ReadWrite.ConditionalAccess	Read and write Conditional Access policies.
Policy.Read.All	Read organization policies.
Policy.ReadWrite.AuthenticationFlows	Read and write authentication flow policies.
Policy.ReadWrite.Authorization	Read and write authorization policy.
Policy.ReadWrite.DeviceConfiguration	Read and write device configuration policies.
RoleManagement.ReadWrite.Directory	Read and manage directory RBAC settings.
RoleAssignmentSchedule.ReadWrite.Directory	Read, update, and delete active role assignments.
RoleEligibilitySchedule.ReadWrite.Directory	Read, update, and delete eligible role assignments.
Contacts.ReadWrite	Read and write user contacts.
Agreement.Read.All	Read all terms of use agreements.
UserAuthenticationMethod.ReadWrite.All	Read and write all users' authentication methods.
CrossTenantInformation.ReadBasic.All	Read cross-tenant basic information.
DeviceManagementManagedDevices.ReadWrite.All	Read and write Microsoft Intune devices.
DeviceManagementConfiguration.ReadWrite.All	Read and write Intune configuration and compliance policies.
DeviceManagementScripts.ReadWrite.All	Read and write Intune scripts.
DeviceManagementApps.ReadWrite.All	Read and write Intune apps.
NetworkAccessPolicy.ReadWrite.All	Read and write network access policies.
CustomSecAttributeDefinition.ReadWrite.All	Read and write custom security attribute definitions.
TeamSettings.ReadWrite.All	Read and write Teams settings.
ProfilePhoto.Read.All	Read profile photos.

Exchange Online delegated permissions

Permission name	Purpose or description
Exchange.Manage	Manage Exchange configuration through delegated access.

Office 365 Management API delegated permissions

Permission name	Purpose or description
ActivityFeed.Read	Read activity data for your organization.

Azure Service Management delegated permissions

Permission name	Purpose or description
user_impersonation	Access Azure Service Management as organization users. Allows Guardian to read Azure role assignments and manage recovery resources.