API Permissions for Integrations
This page outlines the API permissions required by an Integration for enabling features within Oort
Overview
This page contains API details for the following Integrations:
Azure AD
Duo
Okta
Auth0
Google (G-Suite)
Salesforce
Integrations
This section contains a summary of the API permissions for Oort integrations and the purpose for which the connection is used
Azure AD
This section covers the API permissions for the following Microsoft Azure APIs:
MS Graph API - Application Permissions
AuditLog.Read.All
Read all audit log data
Read user activity from the Audit Log
Directory.Read.All
Read directory data
Group.Read.All
Read all groups
GroupMember.Read.All
Read all group memberships
Get a list of user's group memberships
Reports.Read.All
Read all usage reports
Find a manager's end user direct reports
User.Read.All
Read all users' full profiles
Policy.Read.All
Read your organization's policies
Get a list of policies and named locations
IdentityRiskyUser.Read.All
Read your organization's risky users
Get a list of users marked as Risky by Azure
IdentityRiskEvent.Read.All
Read your organization's risky user events
Read details on events associated with Risky user activities
UserAuthenticationMethod.Read.All
Read user auth methods
Read user authentication methods that are available
MS Graph API - InTune Devices
DeviceManagementApps.Read.All
Read Microsoft InTune apps
DeviceManagementConfiguration.Read.All
Read Microsoft InTune device configuration and policies
DeviceManagementManagedDevices.Read.All
Read Microsoft InTune devices
MS Graph API - Permissions for Triaging Alerts and Remediation Actions
These API permissions allow updates to be made directly from Oort to Azure AD
User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All
Update User Type
User.ReadWrite.All, Directory.ReadWrite.All
User Log out
UserAuthenticationMethod.ReadWrite.All
Factors Reset (TBD)
Duo
Duo Admin API with the following permissions are required for Duo integration instances:
Grant read log
Permit Admin API application to read logs
Read the Duo event log
Grant read resource
Permit Admin API application to read resources such as users, phones, and hardware token
Get a list of users and devices
The following permissions are required for Triaging Alerts and Remediation Actions:
These API permissions allow updates to be made directly from Oort to Duo
Grant write resource
Reset Factors
Okta SSWS API Token Scopes
/api/v1/*
READ
As we require the minimal set of privileges, the custom admin role must be created in order to support remediations in Oort (ref to Oort Help Desk Admin role in https://oortpreview-admin.oktapreview.com):
Auth0 API Permissions
In Auth0 Management API:
Add a "Machine to Machine" application (Applications --> Applications) should be configured in Auth0 (via a configured API (Applications --> APIs) with the following scope permissions:
read:users
Read Users
Get a list of Users
read:logs
Read Logs
Read Auth0 Event logs
read:user_logs
Read logs relating to users
Read Auth0 User logs
read:guardian_factors
Read Guardian factors configuration
Get a list of Users and Authenticator configurations
G-Suite Connected App Permissions
https://www.googleapis.com/auth/admin.directory.group.member.readonly
groups membership
https://www.googleapis.com/auth/admin.directory.group.readonly
groups
https://www.googleapis.com/auth/admin.directory.user.readonly
users
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
rolemanagement
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
devices
https://www.googleapis.com/auth/admin.directory.audit.readonly
audit logs
The following permissions are required for Triaging Alerts and Remediation Actions:
These API permissions allow updates to be made directly from Oort to G-Suite
| https://www.googleapis.com/auth/admin.directory.user.security | audit logs |
Salesforce Connected App Permissions
Manage user data via APIs (api)
Allows access to the current account using APIs, such as REST API and Bulk API 2.0
Collect user data
Last updated
