TATER Azure Registered Apps
Configure Entra ID app registrations for Graph API-based compliance scanning. Required for both server-side scans and Azure Automation runbooks.
Overview
TATER requires an Entra ID app registration to authenticate to Microsoft Graph API and other M365 services. The app registration provides the identity that runbooks and the API use to scan your tenant.
Creating the App Registration
Navigate to Entra ID
Go to the Microsoft Entra admin center and select Applications > App registrations > New registration.
Configure registration
Name: "TATER Compliance Scanner". Supported account types: "Accounts in this organizational directory only". No redirect URI needed for app-only auth.
Note the IDs
Record the Application (client) ID and Directory (tenant) ID from the Overview page. You will need these for TATER configuration.
Create a certificate or secret
Under Certificates & secrets, upload a certificate (recommended) or create a client secret. Store securely in Azure Key Vault.
Microsoft Graph API Permissions
Add the following Application permissions (not delegated) under API permissions:
The full permission list below has been validated against a live M365 tenant scan. All permissions are required for complete coverage. Missing any of these will cause controls to error rather than return a result.
| Permission | Purpose |
|---|---|
User.Read.All | Read user profiles and settings |
Group.Read.All | Read group memberships |
Directory.Read.All | Read directory data |
Policy.Read.All | Read security and compliance policies |
Reports.Read.All | Read usage and compliance reports |
AuditLog.Read.All | Read audit log data |
RoleManagement.Read.Directory | Read directory role assignments |
RoleManagement.Read.All | Read PIM role settings and eligibility schedules |
PrivilegedAccess.Read.AzureAD | Read PIM eligible role assignments |
PrivilegedAccess.Read.AzureADGroup | Read PIM group assignment schedules |
IdentityRiskyUser.Read.All | Read users flagged as at risk |
IdentityRiskyServicePrincipal.Read.All | Read risky service principal information |
UserAuthenticationMethod.Read.All | Read MFA/FIDO2/Authenticator registration status |
SecurityEvents.Read.All | Read security alerts and incidents |
InformationProtectionPolicy.Read.All | Read sensitivity labels and DLP policies |
IdentityProvider.Read.All | Read identity providers configuration |
TeamsAppInstallation.ReadForUser.All | Read Teams app installation policies |
Organization.Read.All | Read organization settings |
After adding permissions, click Grant admin consent for your organization. This requires Global Administrator or Privileged Role Administrator.
Intune Permissions
For endpoint scanning via Intune, add these Application permissions:
DeviceManagementConfiguration.Read.AllDeviceManagementManagedDevices.Read.AllDeviceManagementServiceConfig.Read.All
Defender for Endpoint Permissions
For the Scan-Endpoints runbook, add permissions under the WindowsDefenderATP API:
| Permission | Purpose |
|---|---|
Machine.Read.All | Device inventory |
Vulnerability.Read.All | CVE data |
Software.Read.All | Software inventory |
MDE uses a separate API endpoint (api.securitycenter.microsoft.com) requiring its own OAuth token. The Graph API token cannot be reused for MDE.
Exchange Online Permissions
The Exchange.ManageAsApp permission cannot be assigned via the Entra portal UI. Use PowerShell:
# Connect to Exchange Online
Connect-ExchangeOnline
# Assign Exchange.ManageAsApp to the app's service principal
$appId = "your-client-id"
$sp = Get-ServicePrincipal -Identity $appId
New-ManagementRoleAssignment -App $sp.ObjectId -Role "Exchange Administrator"Certificate Authentication
Certificate-based authentication is recommended for production:
- Generate a self-signed certificate or obtain one from your CA
- Upload the public key (.cer) to the app registration under Certificates & secrets
- Store the private key (.pfx) in Azure Key Vault
- Configure the Automation Account to retrieve the certificate at runtime
Install the certificate into CurrentUser\My store with UserKeySet + PersistKeySet + Exportable storage flags for services that use CertificateThumbprint.