Home > Command Centers > AgentPulse > Get Started > AgentPulse App Profiles
Download this articleAgentPulse App Profiles
For data retrieval purposes, app profiles must be configured for your tenants. AvePoint Online Services provides five service apps with required API permissions, including:
-
AgentPulse app – This is the app created during the onboarding process for AgentPulse trial subscription. The app retrieves activities, interaction, users, and subscriptions of Copilot Studio agents, SharePoint, and Microsoft 365 agents.
-
AgentPulse Enterprise app – This is the app created during the onboarding process for AgentPulse Enterprise subscription. The app retrieves activities, interaction, users, and subscriptions of Copilot Studio agents SharePoint, and Microsoft 365 agents.
-
AgentPulse Microsoft Foundry app – This app is not automatically added to your tenant during the onboarding process. It retrieves activities, interaction, users, and subscriptions of Microsoft Foundry agents. If you would like to check the related agents’ details in AgentPulse, manually create and connect the app in Management > App management. For details on creating an app profile, refer to Manage App Profiles for Microsoft Tenants.
-
Custom Google app – This is the custom app created during the onboarding process for Google. This app retrieves activities, interaction, users, and subscriptions of Agent Platform.
-
AgentPulse for Salesforce app – This is the app created during the onboarding process for Salesforce. This app retrievs activities, interaction, users, and subscritions of Agentforce.
When you create the app profiles in AvePoint Online Services, select the app to consent and use based on your requirements. Configured apps will be automatically set up in your Microsoft Entra ID.
Required Permissions for Microsoft
For details on the API permissions required by each service app, refer to the following sections.
AgentPulse Service App Permissions
The table below lists the permissions that should be accepted when you re-authorize the AgentPulse app for Microsoft.
For the initial consent, the user who provides consent for the app profile must have the Global Administrator or Privileged Role Administrator role.
| API | Permission | Type | Purpose | Comments |
|---|---|---|---|---|
| Microsoft Graph | AiEnterpriseInteraction.Read.All (Read all AI enterprise interactions) | Application | Retrieve Microsoft 365 Copilot interaction data. | |
| Microsoft Graph | Application.Read.All (Read all applications) | Application | Get the list of applications in this organization. | |
| Microsoft Graph | AuditLog.Read.All (Read all audit log data) | Application | Get the list of audit logs generated by Microsoft Entra ID. | |
| Microsoft Graph | CopilotPackages.ReadWrite.All (Read and update all package information) | Delegated | Get and update the available Copilot packages. | |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Retrieve a list of oAuth2PermissionGrant objects that represent delegated permissions. Retrieve the list of appRoleAssignment objects granted to a service principal. Retrieve Microsoft Entra user sign-in logs for your tenant. Retrieve the list of applications in the organization. | |
| Microsoft Graph | Group.Read.All (Read all groups) | Application | Inventory the groups for reporting purposes; Add Microsoft 365 Groups into AvePoint Online Services, and support signing into AvePoint Online Services with Microsoft 365 accounts. | |
| Microsoft Graph | InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization) | Application | Retrieve tenant sensitivity labels that will be displayed in the Copilot report. | |
| Microsoft Graph | Organization.Read.All (Read organization information) | Application | Get the list of commercial subscriptions that an organization has acquired and calculate user seats; Retrieve your Microsoft 365 tenant information (geo location, region, domain). | |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Read usage report data of all reporting. | |
| Microsoft Graph | RoleManagement.Read.Directory (Read all directory RBAC settings) | Application | Retrieve the list of principals assigned to the directory role. | This is used only to check the consent user’s roles for custom apps and is not required for default apps. |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Application | Search across files related to SharePoint agents. | |
| Microsoft Graph | User.Read (Sign in and read user profile) | Delegated | Support signing into AvePoint Online Services with Microsoft 365 accounts. | |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Application | Retrieve your Microsoft 365 tenant user information. | |
| Commercial environment: Dynamics CRM GCC or GCC High environment: Dataverse | user_impersonation (Access Common Data Service as organization users) | Delegated | Retrieve and list Copilot Studio agents. | |
| Office 365 Management APIs | ActivityFeed.Read (Read activity data for your organization) | Application | An aggregation of actions and events for specified content types such as Microsoft Entra, SharePoint, OneDrive, Teams, or Viva Engage. | |
| SharePoint Office 365 SharePoint Online | Sites.Read.All (Read items in all site collections) | Application | Read items in all site collections for the Copilot report. | |
| Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | User (Access the Power Apps Service API) | Delegated | Retrieve the information of the environments. |
The user who provides consent for the app profiles must have the Power Platform Administrator and Global Administrator roles assigned in Microsoft Entra ID > Roles and administrators to enable scanning of Copilot Studio agents.
AgentPulse Enterprise Service App Permissions
The table below lists the permissions that should be accepted when you authorize the AgentPulse Enterprise app for Microsoft agents.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | AiEnterpriseInteraction.Read.All (Read all AI enterprise interactions) | Application | Retrieve Microsoft 365 Copilot interaction data. |
| Microsoft Graph | AuditLog.Read.All (Read all audit log data) | Application | Get the list of audit logs generated by Microsoft Entra ID. |
| Microsoft Graph | CopilotPackages.ReadWrite.All (Read and update all packages information) | Delegated | Get and update the available Copilot packages. |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Retrieve a list of oAuth2PermissionGrant objects that represent delegated permissions. Retrieve the list of appRoleAssignment objects granted to a service principal. Retrieve Microsoft Entra user sign-in logs for your tenant. Retrieve the list of applications in the organization. |
| Microsoft Graph | Group.Read.All (Read all groups) | Application | Inventory the groups for reporting purposes. |
| Microsoft Graph | InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization) | Application | Retrieve tenant sensitivity labels that will be displayed in the Copilot report. |
| Microsoft Graph | Organization.Read.All (Read organization information) | Application | Get the list of commercial subscriptions acquired by the organization and calculate user seats. Retrieve Microsoft 365 tenant information such as geo location, region, and domain. |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Read usage report data of all reporting. |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Application | Search across files related to SharePoint Agents. |
| Microsoft Graph | User.Read (Sign in and read user profile) | Delegated | Support signing into AvePoint Online Services with Microsoft 365 accounts. |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Application | Retrieve your Microsoft 365 tenant user information. |
| Commercial environment: Dynamics CRM GCC or GCC High environment: Dataverse | user_impersonation (Access Common Data Service as organization users) | Delegated | Retrieve and list Copilot Studio agents. |
| Office 365 Management APIs | ActivityFeed.Read (Read activity data for your organization) | Application | An aggregation of actions and events for specified content types such as Microsoft Entra, SharePoint, OneDrive, Teams, or Viva Engage. |
| SharePoint/Office 365 SharePoint Online | Sites.Read.All (Read items in all site collections) | Application | Read items in all site collections for the Copilot report. |
| Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | User (Access the Power Apps Service API) | Delegated | Retrieve the information of the environments. |
AgentPulse Microsoft Foundry Service App Permissions
The table below lists the permissions that should be accepted when you authorize the AgentPulse Microsoft Foundry app.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | User.Read (Sign in and read user profile) | Delegated | Signing into AvePoint Online Services with Microsoft 365 accounts. |
| Microsoft Graph | CopilotPackages.ReadWrite.All (Read and update all package information) | Delegated | Get and update the available Copilot packages. |
| Azure Machine Learning Services | user_impersonation (Access Azure Machine Learning Services as organization users) | Delegated | Retrieve and list Microsoft Foundry agents that were previously created. |
| Azure Service Management | user_impersonation (Access Azure Resource Manager as organization users) | Delegated | Gets all subscriptions of a tenant. |
The following roles must be assigned to the consent user of the app profiles to enable scanning of Microsoft Foundry agents:
- Azure AI User role in Azure portal > Subscriptions > Access control (IAM)
- Global Administrator role in Microsoft Entra ID > Roles and administrators - The Global Administrator role is required only for the initial consent and can be removed during re-authorization. For more information on why this role is required for the initial consent, refer to Why is Admin Consent Required to Use the AvePoint Apps?
Required Permissions for Google
Custom Google App Permission
To authorize the custom Google app, you can refer to the following sections for the required permissions and configurations for your custom app. For details on how to configure an app profile for the custom Google app, refer to the Configure Custom Google App Profiles section.
-
Enable the following APIs in the projects where the Google service accounts are created:
API name Purpose Cloud Resource Manager API Get all projects. Agent Platform API List all reasoning engines. Admin SDK API Retrieve users in your domain. Cloud Logging API Query logs. Identity and Access Management (IAM) API Get the service account. -
Assign a role with the required permissions listed below to the service account:
Permission Purpose aiplatform.locations.list List all locations. aiplatform.reasoningEngines.list List all reasoning engine resources. resourcemanager.projects.get Get all projects. aiplatform.sessions.list List reasoning engine sessions. aiplatform.sessionEvents.list List session events. logging.logEntries.list Get the agent creator from logs. iam.serviceAccounts.get Get the service account. -
Configure the following scope in the OAuth scopes field:
Service API Scope Purpose Common Admin SDK API https://www.googleapis.com/auth/admin.directory.user.readonlyRetrieve users in your domain.
Required Permissions for Salesforce
AgentPulse for Salesforce Service App Permissions
The following permissions should be accepted when you re-authorize the AgentPulse app for Salesforce:
- API Enabled
- Manage Bots