Granting Azure Access

Granting Access Through EtherInsights

First Navigate to Organization settings

Navigate to Connected Microsoft 365 Tenants and select "Connect to Azure"

Select Grant Access

Sign in with microsoft if prompted

Select the Azure Resource you would like to grant EtherInsights "Reader" level access too

Reader Access will then be granted to EtherInsights

Azure Portal Configuration Steps (Manual Method)

To use EtherInsights to monitor your Azure resources, you first need to add a role assignment to grant access to your Azure subscription.

1. Navigate to the Azure Portal
2. Navigate to subscriptions and select the subscription you'd like to connect
3. On the left side bar, select "Access control (IAM)"
4. Click "Add" and then "Add role assignment"
5. Select the role with the name "Reader" and click "Next"
6. Next to "Assign access to" select "User, group, or service principal"
7. Select "Select members" and search for your ID then Select "EtherInsights App" and click "Select"
8. Click "Review + assign" and then "Assign"

Verification

Once you've completed these steps, return to the EtherInsights portal and click the "Check Access" button.

Additional Permissions

Depending on your organization's monitoring needs, you might need to grant additional permissions:

• Cost Management Access: If you want to use EtherInsights to analyze and optimize your Azure costs, you may need to assign the "Cost Management Reader" role
• Multiple Subscriptions: To monitor multiple subscriptions, repeat these steps for each subscription you wish to connect

Troubleshooting

If you encounter any issues when verifying access:

1. Ensure you've selected the correct subscription
2. Confirm the role assignment was completed successfully
3. Check that you've added the correct EtherInsights App ID
4. Allow sufficient time for permission propagation (typically 5-15 minutes)

For persistent issues, please refer to our Troubleshooting Guide or contact EtherInsights Support.

Permissions Description

This section describes the permissions EtherInsights requests as part of the process of connecting to your Microsoft 365 tenant. We understand that you granting us access to information which may be sensitive or confidential, and as such, we take the security of our customers extremely seriously.

We strongly adhere industry best practices, such as the principal of least privilege, which we follow by taking effort to ensure that we are requesting only the most granular permissions available.

Application (Service Principal) Permissions Requested:

These read-only permissions are requested as part of the Admin Consent flow and are assigned to the EtherInsights service principal, and are used to retrieve information & generate reports without direct user intervention.

• User.Read.All (required)
  • Core: Used to display the name of the Entra Tenant in the Entra Tenants settings pages
  • Core: Used to read number of active end users in tenant for billing purposes
  • Microsoft 365 Report: for displaying what users have which licenses
• AuditLog.Read.All
  • Microsoft 365 Report: for displaying when users were last active
• CloudPC.Read.All
  • Used for operations involving Windows 365 Cloud PC, such as the Windows 365 page, Managed Devices page
• Device.Read.All
  • Devices Report: for showing devices registered in Entra
• DeviceManagementManagedDevices.Read.All
  • Devices Report: for showing devices registered in Intune
• LicenseAssignment.Read.All
  • Microsoft 365 Report: for displaying licenses owned by organisation
  • Actions: Used for seeing available SKUs for Cloud PC resizing.
• Reports.Read.All
  • OneDrive Storage Report: for retrieving storage usage information
• RoleManagemnt.Read.Directory
  • Microsoft 365 Report: for displaying what administrative roles users have
• SecurityEvents.Read.All
  • Microsoft 365 Report: for displaying organisation secure score

Delegated (on behalf of user) Permissions Requested

As delegated access grants privilege to perform operations on behalf of a user, inheriting the permissions assigned to that user, we recognise the high sensitivity of delegated access tokens, and we do not ever persistently store these access tokens, ensuring our systems cannot use these tokens without a user in the loop.

As part of log-in

These permissions are requested whenever a user logs in with their Microsoft account.

• User.Read openid profile email (required)
  • Core: Used for user login
  • Core: Used to update information such as organisation name, which is displayed to administrators of organisations which you are a member.
  • Core: Used as part of the process to link an Entra Tenant to EtherInsights

Used by actions

Our actions system requests permissions only when a user invokes an action that requires them, and is designed for maximum transparency to the user.

• Azure setup action:
  • https://management.azure.com/user_impersonation to grant the EtherInsights 'Reader' level access to resources inside Azure
• License management action:
  • User.Read.All to see which licenses a user has currently assigned
  • LicenseAssignment.ReadWrite.All to (un)assign licenses from a user
  • CloudPC.ReadWrite.All used when the user opts to end the grace period immediately when removing a CPC license.
• Cloud PC Resize Action:
  • CloudPC.ReadWrite.All to resize the Cloud PC
  • User.Read.All to check the user's license assignments
  • LicenseAssignment.ReadWrite.All to unassign the license after resize
  • Group.Read.All to check for licenses assigned by group assignment
• Other Cloud PC Actions:
  • CloudPC.ReadWrite.All to manage Cloud PCs.