#Required Permissions

Refer to the API permissions listed below to add the API permissions to your custom app in Azure Active Directory.

#Permissions Required by Common License Management

The table below lists the API permissions required for the common license management and data retrieval features in AvePoint Cense. This is also the list of permissions contained in the Cense service app.

API	Permission	Type	Why do we need it?
Microsoft Graph	User.ReadWrite.All (Read and write all users’ full profiles)	Application	Retrieve Microsoft 365 user basic information and user license information and change/unassign user licenses.
Microsoft Graph	Directory.Read.All (Read directory data)	Application	Retrieve Microsoft 365 user basic information and user license information.
Microsoft Graph	Reports.Read.All (Read all usage reports)	Application	Retrieve user activity time in the following Microsoft 365 apps: Teams, Viva Engage, SharePoint, Exchange, OneDrive, and Skype for Business.
Microsoft Graph	CallRecords.Read.All (Read all call records)	Application	Retrieve detailed PSTN calling activities and costs.
Microsoft Graph	AuditLog.Read.All (Read all audit log data)	Application	Retrieve users’ last sign-in time to determine if they are inactive users.
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Application	Retrieve and manage groups’ license assignment.
Microsoft Graph	UserAuthenticationMethod.Read.All (Read all users' authentication methods)	Application	Retrieve users’ MFA settings.
Microsoft Graph	Policy.Read.All (Read your organization's policies)	Application	Retrieve users’ MFA statuses.
Microsoft Graph	IdentityRiskyUser.Read.All (Read all identity risky user information)	Application	Access and evaluate license usage and activities for holders of the Microsoft Entra ID P2 licenses.
Microsoft Graph	Files.ReadWrite.All (Read and write files in all site collections)	Application	Export license reports to OneDrive
SharePoint	Sites.ReadWrite.All (Read and write items in all site collections)	Application	Export license reports to SharePoint libraries.

To include user properties related to mailbox usage in the exported license reports, such as mailbox size and mailbox archive status, you need to Manage Service Account Profiles in AvePoint Online Services and add a Microsoft 365 account with the Global Administrator role in the profile.

#Permissions Required by Microsoft Foundry Management

The table below lists the API permissions required for the Microsoft Foundry cost management and reporting in AvePoint Cense. This is also the list of permissions contained in the Cense Microsoft Foundry service app.

Additionally, the app should be added to the Azure subscription that you want to monitor, with the following roles assigned to it:

• Reader
• Azure AI Developer
• Foundry User
• Cost Management Reader

For detailed steps on assigning the roles, refer to Assign Required Roles to Cense Microsoft Foundry App

API	Permission	Type	Why do we need it?
Azure Machine Learning Services	user_impersonation (Allow the application to access the Azure Machine Learning Services API on behalf of the signed-in user.)	Delegated	Access Microsoft Foundry license usage and cost data via Azure Machine Learning Services API.
Azure Service Management	user_impersonation (Allows the application to access Azure Resource Manager acting as users in the organization.)	Delegated	Access Microsoft Foundry license usage and cost data via Azure Resource Management API.