Permissions for Change Monitoring in Cayosoft Guardian
Cayosoft Guardian uses multiple identities such as connection and configurations accounts to access and manage your cloud environment.
Create a user account and assign the Global Administrator role to this account, before adding a tenant to Cayosoft Guardian.
It is strongly recommended to use cloud-only (not synchronized with on-prem AD).
The connection account should not be used in other applications or scripts.
To send notifications via Teams or Exchange Online, assign an Microsoft 365 license with Teams, Exchange Online and Intune options.
Connection account permissions
| Role | Details |
|---|---|
| Global Administrator | Required for full access to Entra directory changes and rollback operations. Assign the Global Administrator role to this account, before adding a tenant toCayosoft Guardian. |
| User Access Administrator in Azure |
Required to monitor and restore RBAC-related access control changes (such as role assignments). This ensures Guardian can revert unauthorized or accidental permission changes during rollback.Cayosoft Guardian will automatically add the connection account to the User Access Administrator role in Azure. This role gives access to all subscriptions and management groups in Azure. Learn more. NOTE: Without the 'User Access Administrator' role, Cayosoft Guardian may not be able to fully restore access controls or role assignments. |
Entra application permissions
Cayosoft Guardian connects to Microsoft Entra ID and Microsoft 365 through an Entra application account (service principal). This application identity allows Guardian to securely monitor, back up, and recover cloud configuration objects such as users, groups, policies, and Intune devices — without requiring continuous sign-in from a user account. When you add a Microsoft 365 tenant to Guardian, the system automatically creates and registers this application in your Entra tenant and grants all required API permissions.
The Entra application (service principal) is used to:
Authenticate to Microsoft 365 via modern OAuth 2.0 (app-only access).
Read directory configuration and activity data.
Perform rollback and recovery of Entra ID and Intune objects.
Access Microsoft Graph and Management APIs as an organization.
Cayosoft Guardianuses application permissions (not delegated user permissions) to ensure secure, unattended operations that do not depend on a user’s interactive session.
When the Entra application is created, Cayosoft Guardian automatically requests the following permissions.
Microsoft Graph permissions
| Permission Name | Claim Value | Purpose / Description |
|---|---|---|
| Directory.AccessAsUser.All | Access directory as the signed-in user | Used for password resets during recovery. |
| Group.ReadWrite.All | Read and write all groups | Required for auditing, backup, and recovery of Entra groups. |
| AuditLog.Read.All | Read audit log data | Collects Entra ID audit events. |
| Policy.ReadWrite.ConditionalAccess | Read and write Conditional Access policies | Backup / recovery of Conditional Access policies and named locations. |
| Policy.Read.All | Read organization policies | Enables collection of policy and Conditional Access objects. |
| RoleManagement.ReadWrite.Directory | Read and manage directory RBAC settings | Used to audit and recover directory role assignments. |
| RoleAssignmentSchedule.ReadWrite.Directory | Read, update, delete active role assignments | Used for auditing and rollback of PIM roles. |
| RoleEligibilitySchedule.ReadWrite.Directory | Read, update, delete eligible role assignments | Used for auditing and rollback of PIM eligibility roles. |
| Contacts.ReadWrite | Read and write user contacts | Enables recovery of Entra ID contacts. |
| Agreement.Read.All | Read all terms of use agreements | Audits Conditional Access dependencies. |
| CrossTenantInformation.ReadBasic.All | Read cross-tenant basic information | Audits cross-tenant policy dependencies. |
| Policy.ReadWrite.AuthenticationFlows | Read and write authentication flow policies | Audits and recovers Authentication Flows configuration. |
| Policy.ReadWrite.Authorization | Read and write authorization policy | Audits and recovers Entra authorization settings. |
| Policy.ReadWrite.DeviceConfiguration | Read and write device configuration policies | Collects and recovers device configuration policies. |
| UserAuthenticationMethod.ReadWrite.All | Read and write all users’ authentication methods | Audits and recovers authentication method settings. |
| DeviceManagementManagedDevices.ReadWrite.All | Read and write Microsoft Intune devices | Audits, backs up, and recovers managed devices. |
| DeviceManagementConfiguration.ReadWrite.All | Read and write Intune configuration and compliance policies | Audits and recovers Intune policies and settings. |
| DeviceManagementApps.ReadWrite.All | Read and write Intune apps | Collects Intune audit log and change initiators. |
| Exchange.Manage | Manage Exchange configuration | Audits and recovers Exchange Online mailboxes and settings. |
Management API Permissions
| Permission Name | Claim Value | Purpose / Description |
|---|---|---|
| ActivityFeed.Read | Read activity data for your organization | Enables Unified Audit Log collection. |
| user_impersonation | Access Azure Service Management as organization users | Allows Guardian to read Azure role assignments and manage recovery resources. |
gMSA permissions for Cayosoft Guardian
gMSA offers improved security via automatic password management. Cayosoft Guardian will automatically create gMSA with administrative permissions.
Account permissions required for initial configuration
| Task | Permissions |
|---|---|
Configure gMSA for domain partition |
Domain Admin |
Configure gMSA for schema partition |
Schema Admin |
| Configure gMSA for configuration or application partitions | Enterprise Admin |
Permissions of gMSA with administrative permissions automatically created by Cayosoft Guardian
| Task | Permissions | Details |
|---|---|---|
| Collect events | Event Log Readers | Member of the Event Log Readers group in the managed domain (for forest-wide partitions, membership is required in each forest domain). |
| Access domain controllers via WinRM | Remote Management Users | Member of the Remote Management Users group in the managed domain (for forest-wide partitions, membership is required in each forest domain). |
| Manage Entra Connect | ADSyncOperators |
Member of the ADSyncOperators group in the managed domain (for forest-wide partitions, membership is required in each forest domain). |
| Collect changes from DirSync | Replicate Directory Changes |
Grant the Replicate Directory Changes permission on the domain object in Active Directory. This allows the account to read and replicate directory changes for synchronization purposes. |
| Rollback actions in domain partition | Domain admins |
Member of the Domain admins group in the managed domain |
| Rollback actions in configuration or application partitions | Enterprise admins |
Member of the Enterprise admins group in the managed forest |
| Rollback actions in schema partition | Schema admins |
Member of the Schema admins group in the managed domain |
Connect to Active Directory using read-only gMSA
gMSA offers improved security via automatic password management. Cayosoft Guardian will automatically create gMSA with read-only permissions. The Read-only gMSA can also be temporarily elevated to perform rollback. This approach ensures that privileges are granted only when needed, following just-in-time elevation principles, and minimizing security risks.
Permissions of account required for initial configuration
| Task | Permissions |
|---|---|
Configure gMSA for domain partition |
Domain Admin |
Configure gMSA for schema partition |
Schema Admin |
| Configure gMSA for configuration or application partitions | Enterprise Admin |
Permissions of read-only gMSA
All permissions and group memberships are required for Read-Only gMSA (as outlined above).
| Task | Permissions | Details |
|---|---|---|
| Collect events | Event Log Readers | Member of the Event Log Readers group in the managed domain (for forest-wide partitions, membership is required in each forest domain) |
| Access domain controllers via WinRM | Remote Management Users | Member of the Remote Management Users group in the managed domain (for forest-wide partitions, membership is required in each forest domain) |
| Manage Entra Connect | ADSyncOperators |
Member of the ADSyncOperators group in the managed domain (for forest-wide partitions, membership is required in each forest domain) |
Comments
0 comments
Please sign in to leave a comment.