icon-zcspm.svg
ZCSPM

Granting Admin Consent for Microsoft Graph API Permissions

To grant admin consent for Microsoft Graph API permissions:

  1. Log in to the Azure Portal
  2. In the left-pane menu, click Azure Active Directory.
  3. Select App registrations, then select the ZCSPM application which you want to onboard.
  4. In the left-pane menu, click API permissions.
  5. Click Add a permission, then select Microsoft Graph.

  1. Click Application permissions, then select the Directory.read.all permission.
  2. Click Add permissions.

  1. Click Grant admin consent.

You can grant the ZCSPM Azure app Microsoft Graph API's Directory.read.all permission to get the following 5 security policies:

Policy Title Required Azure AD Entity Data Stored at ZCSPM
Ensure that AD Application keys are rotated before they expires passwordCredentials

Metadata information contained within the data entity will be key start-date, end-date, and expiry policies. No actual values are retrievable.
  • AD Application Name
  • AD Application ID
  • Expiry Date
Ensure that Service Principal Certificate are renewed before it expires keyCredentials

Metadata information contained within the data involves start-date and end-date. Refer to documentation here.
  • AD Application Name
  • AD Application ID
  • Expiry Date
Ensure that there are no guest users userType

Member or guest.		 No data is stored in the ZCSPM database. This policy only retrieves the count of total users and guest users.
Enforce the policy to set Password to ‘always’ expire in Azure Active Directory for all Organization Users passwordPolicies

Metadata involving the length of the password, password strength, and password restrictions. Refer to documentation here.		 No data is stored in the ZCSPM database. This policy only retrieves the count of all organization users and how many of them have set ‘Password always expired’ to ‘On’.
Ensure that Azure resources are accessible only through Organization Account userType

Member or guest.		 No data is stored in the ZCSPM database. This policy only retrieves the count of external users in an organization who can access resources under the Azure Subscription.
Related Articles
Onboarding a Microsoft Azure AccountGranting Admin Consent for Microsoft Graph API PermissionsGranting Access to Additional Roles in Microsoft AzureGranting Access to Key Vaults in Microsoft AzureAdvanced Security Configurations for Microsoft AzureEnabling Microsoft Defender Audit PoliciesConfiguring OS Baselines for Microsoft AzureConfiguring the ZCSPM Agent for the Azure Kubernetes ServiceVerifying the Cloud Account Health Status for AzureOffboarding a Microsoft Azure Account