# API Permissions for Integrations ## Overview This page contains API details for the following [Integrations](/integrations.md): * Azure AD * Duo * Okta * Auth0 * Google (G-Suite) * Salesforce ## Integrations This section contains a summary of the API permissions for Oort integrations and the purpose for which the connection is used ### Azure AD This section covers the API permissions for the following Microsoft Azure APIs: #### MS Graph API - Application Permissions | Name | Description | Purpose | | ----------------------------------- | ------------------------------------------ | -------------------------------------------------------------- | | `AuditLog.Read.All` | Read all audit log data | Read user activity from the Audit Log | | `Directory.Read.All` | Read directory data | | | `Group.Read.All` | Read all groups | | | `GroupMember.Read.All` | Read all group memberships | Get a list of user's group memberships | | `Reports.Read.All` | Read all usage reports | Find a manager's end user direct reports | | `User.Read.All` | Read all users' full profiles | | | `Policy.Read.All` | Read your organization's policies | Get a list of policies and named locations | | `IdentityRiskyUser.Read.All` | Read your organization's risky users | Get a list of users marked as `Risky` by Azure | | `IdentityRiskEvent.Read.All` | Read your organization's risky user events | Read details on events associated with `Risky` user activities | | `UserAuthenticationMethod.Read.All` | Read user auth methods | Read user authentication methods that are available | #### MS Graph API - InTune Devices | Name | Description | | ----------------------------------------- | ------------------------------------------------------- | | `DeviceManagementApps.Read.All` | Read Microsoft InTune apps | | `DeviceManagementConfiguration.Read.All` | Read Microsoft InTune device configuration and policies | | `DeviceManagementManagedDevices.Read.All` | Read Microsoft InTune devices | #### MS Graph API - Permissions for [Triaging Alerts and Remediation Actions](/understanding-your-users/remediation-actions.md) {% hint style="info" %} These API permissions allow updates to be made directly from Oort to Azure AD {% endhint %} | Name | Remediation Type | | ------------------------------------------------------------------------ | ------------------- | | `User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All` | Update User Type | | `User.ReadWrite.All, Directory.ReadWrite.All` | User Log out | | `UserAuthenticationMethod.ReadWrite.All` | Factors Reset (TBD) | ### Duo Duo [Admin API](https://duo.com/docs/adminapi) with the following permissions are required for Duo integration instances: | Name | Description | Purpose | | ------------------- | ---------------------------------------------------------------------------------------- | ------------------------------- | | Grant read log | Permit Admin API application to read logs | Read the Duo event log | | Grant read resource | Permit Admin API application to read resources such as users, phones, and hardware token | Get a list of users and devices | The following permissions are required for [Triaging Alerts and Remediation Actions](/understanding-your-users/remediation-actions.md): {% hint style="info" %} These API permissions allow updates to be made directly from Oort to Duo {% endhint %} | Name | Remediation Type | | -------------------- | ---------------- | | Grant write resource | Reset Factors | ### Okta SSWS API Token Scopes | API | HTTP Operation | | ----------- | -------------- | | `/api/v1/*` | READ | As we require the minimal set of privileges, the custom admin role must be created in order to support remediations in Oort (ref to `Oort Help Desk Admin` role in ): ![Screenshot 2023-03-28 at 9 16 34](https://user-images.githubusercontent.com/72064215/228101939-45d40416-9e31-4f12-918f-b14e25d1cb0e.png) ![Screenshot 2023-03-28 at 9 16 49](https://user-images.githubusercontent.com/72064215/228101915-9494e48a-b101-4563-9bb8-ad6904b34e23.png) ![Screenshot 2023-03-28 at 9 17 34](https://user-images.githubusercontent.com/72064215/228101872-805f2db3-9b67-49c2-9f4d-a03299bd1c85.png) ### Auth0 API Permissions In Auth0 [Management API](https://auth0.com/docs/api/management/v2): Add a "[Machine to Machine](https://auth0.com/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps)" application (`Applications --> Applications`) should be configured in Auth0 (via a configured API (`Applications --> APIs`) with the following scope permissions: | Scope | Description | Purpose | | ----------------------- | ----------------------------------- | ---------------------------------------------------- | | `read:users` | Read Users | Get a list of Users | | `read:logs` | Read Logs | Read Auth0 Event logs | | `read:user_logs` | Read logs relating to users | Read Auth0 User logs | | `read:guardian_factors` | Read Guardian factors configuration | Get a list of Users and Authenticator configurations | ### G-Suite Connected App Permissions | Scope | Description | | ------------------------------------------------------------------------- | ----------------- | | `https://www.googleapis.com/auth/admin.directory.group.member.readonly` | groups membership | | `https://www.googleapis.com/auth/admin.directory.group.readonly` | groups | | `https://www.googleapis.com/auth/admin.directory.user.readonly` | users | | `https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly` | rolemanagement | | `https://www.googleapis.com/auth/admin.directory.orgunit.readonly` | devices | | `https://www.googleapis.com/auth/admin.directory.audit.readonly` | audit logs | The following permissions are required for [Triaging Alerts and Remediation Actions](/understanding-your-users/remediation-actions.md): {% hint style="info" %} These API permissions allow updates to be made directly from Oort to G-Suite {% endhint %} \| | audit logs | ### Salesforce Connected App Permissions | Scope | Description | Purpose | | ------------------------------- | ---------------------------------------------------------------------------------- | ----------------- | | Manage user data via APIs (api) | Allows access to the current account using APIs, such as REST API and Bulk API 2.0 | Collect user data | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.oort.io/troubleshooting/api-permissions-for-integrations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.