# API Permissions for Integrations ## Overview This page contains API details for the following [Integrations](https://docs.oort.io/integrations): * Azure AD * Duo * Okta * Auth0 * Google (G-Suite) * Salesforce ## Integrations This section contains a summary of the API permissions for Oort integrations and the purpose for which the connection is used ### Azure AD This section covers the API permissions for the following Microsoft Azure APIs: #### MS Graph API - Application Permissions | Name | Description | Purpose | | ----------------------------------- | ------------------------------------------ | -------------------------------------------------------------- | | `AuditLog.Read.All` | Read all audit log data | Read user activity from the Audit Log | | `Directory.Read.All` | Read directory data | | | `Group.Read.All` | Read all groups | | | `GroupMember.Read.All` | Read all group memberships | Get a list of user's group memberships | | `Reports.Read.All` | Read all usage reports | Find a manager's end user direct reports | | `User.Read.All` | Read all users' full profiles | | | `Policy.Read.All` | Read your organization's policies | Get a list of policies and named locations | | `IdentityRiskyUser.Read.All` | Read your organization's risky users | Get a list of users marked as `Risky` by Azure | | `IdentityRiskEvent.Read.All` | Read your organization's risky user events | Read details on events associated with `Risky` user activities | | `UserAuthenticationMethod.Read.All` | Read user auth methods | Read user authentication methods that are available | #### MS Graph API - InTune Devices | Name | Description | | ----------------------------------------- | ------------------------------------------------------- | | `DeviceManagementApps.Read.All` | Read Microsoft InTune apps | | `DeviceManagementConfiguration.Read.All` | Read Microsoft InTune device configuration and policies | | `DeviceManagementManagedDevices.Read.All` | Read Microsoft InTune devices | #### MS Graph API - Permissions for [remediation-actions](https://docs.oort.io/understanding-your-users/remediation-actions "mention") {% hint style="info" %} These API permissions allow updates to be made directly from Oort to Azure AD {% endhint %} | Name | Remediation Type | | ------------------------------------------------------------------------ | ------------------- | | `User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All` | Update User Type | | `User.ReadWrite.All, Directory.ReadWrite.All` | User Log out | | `UserAuthenticationMethod.ReadWrite.All` | Factors Reset (TBD) | ### Duo Duo [Admin API](https://duo.com/docs/adminapi) with the following permissions are required for Duo integration instances: | Name | Description | Purpose | | ------------------- | ---------------------------------------------------------------------------------------- | ------------------------------- | | Grant read log | Permit Admin API application to read logs | Read the Duo event log | | Grant read resource | Permit Admin API application to read resources such as users, phones, and hardware token | Get a list of users and devices | The following permissions are required for [remediation-actions](https://docs.oort.io/understanding-your-users/remediation-actions "mention"): {% hint style="info" %} These API permissions allow updates to be made directly from Oort to Duo {% endhint %} | Name | Remediation Type | | -------------------- | ---------------- | | Grant write resource | Reset Factors | ### Okta SSWS API Token Scopes | API | HTTP Operation | | ----------- | -------------- | | `/api/v1/*` | READ | As we require the minimal set of privileges, the custom admin role must be created in order to support remediations in Oort (ref to `Oort Help Desk Admin` role in ): ![Screenshot 2023-03-28 at 9 16 34](https://user-images.githubusercontent.com/72064215/228101939-45d40416-9e31-4f12-918f-b14e25d1cb0e.png) ![Screenshot 2023-03-28 at 9 16 49](https://user-images.githubusercontent.com/72064215/228101915-9494e48a-b101-4563-9bb8-ad6904b34e23.png) ![Screenshot 2023-03-28 at 9 17 34](https://user-images.githubusercontent.com/72064215/228101872-805f2db3-9b67-49c2-9f4d-a03299bd1c85.png) ### Auth0 API Permissions In Auth0 [Management API](https://auth0.com/docs/api/management/v2): Add a "[Machine to Machine](https://auth0.com/docs/get-started/auth0-overview/create-applications/machine-to-machine-apps)" application (`Applications --> Applications`) should be configured in Auth0 (via a configured API (`Applications --> APIs`) with the following scope permissions: | Scope | Description | Purpose | | ----------------------- | ----------------------------------- | ---------------------------------------------------- | | `read:users` | Read Users | Get a list of Users | | `read:logs` | Read Logs | Read Auth0 Event logs | | `read:user_logs` | Read logs relating to users | Read Auth0 User logs | | `read:guardian_factors` | Read Guardian factors configuration | Get a list of Users and Authenticator configurations | ### G-Suite Connected App Permissions | Scope | Description | | ------------------------------------------------------------------------- | ----------------- | | `https://www.googleapis.com/auth/admin.directory.group.member.readonly` | groups membership | | `https://www.googleapis.com/auth/admin.directory.group.readonly` | groups | | `https://www.googleapis.com/auth/admin.directory.user.readonly` | users | | `https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly` | rolemanagement | | `https://www.googleapis.com/auth/admin.directory.orgunit.readonly` | devices | | `https://www.googleapis.com/auth/admin.directory.audit.readonly` | audit logs | The following permissions are required for [remediation-actions](https://docs.oort.io/understanding-your-users/remediation-actions "mention"): {% hint style="info" %} These API permissions allow updates to be made directly from Oort to G-Suite {% endhint %} \| | audit logs | ### Salesforce Connected App Permissions | Scope | Description | Purpose | | ------------------------------- | ---------------------------------------------------------------------------------- | ----------------- | | Manage user data via APIs (api) | Allows access to the current account using APIs, such as REST API and Bulk API 2.0 | Collect user data |