Knowledge Base
3.17
Search this version
Knowledge Base
Knowledge Base
Title
Message
Create new category
What is the title of your new category?
Edit page index title
What is the title of the page index?
Edit category
What is the new title of your category?
Edit link
What is the new title and URL of your link?
Microsoft 365 Application permissions
Copy Markdown
Open in ChatGPT
Open in Claude
Overview
MetaDefender™ Cloud Email Security (MDCES) requires specific Microsoft Graph and Office 365 Exchange Online API permissions to operate correctly and securely within your Microsoft 365 environment.
When installing and granting consent to MDCES, your administrator will authorize the following permissions. The table below summarizes each permission and provides a brief description of its purpose.
| API/Permission name | Type | Description |
|---|---|---|
| Microsoft Graph | ||
| Contacts.Read | Application | Allows MDCES to read contact information in all mailboxes (used for email processing and routing logic). |
| Directory.Read.All | Application | Allows MDCES to read directory data (users, groups, domains, and more) to determine protection scope and apply mail flow rules & policies. |
| Domain.Read.All | Application | Allows MDCES to read the domains in your tenant to support domain-based routing and configuration. |
| Group.Read.All | Application | Allows MDCES to read all groups (used for applying policies to specific groups). |
| GroupMember.Read.All | Application | Allows MDCES to read group memberships (used to apply policies to group members). |
| Mail.ReadWrite | Application | Allows MDCES to read & write email content in mailboxes for security analysis when protection mode is enabled. |
| ProfilePhoto.Read.All | Application | Allows MDCES to read profile photos of users and groups (used for enhancing the admin portal UX). |
| User.Read | Delegated | Allows MDCES to sign in and read the profile of the signed-in user (basic sign-in and profile read functionality). |
| User.Read.All | Application | Allows MDCES to read all users' full profiles (used to support user-based policies and visibility). |
| Office 365 Exchange Online | ||
| Exchange.Manage* | Delegated | Allows MDCES to manage Exchange configuration (e.g., mail flow rules, connectors) when performing setup or adjustments. |
* Only used when selecting automatic integration mode
Why These Permissions Are Required
MDCES uses these permissions to:
- Apply and manage Exchange mail flow rules and connectors
- Apply protection policies based on users, groups, and domains
- Analyze email content for security threats
- Support monitoring mode (BCC email copy) and protection mode (email routing)
- Provide visibility and control via the MDCES admin portal
- Ensure seamless integration with your Microsoft 365 tenant
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Last updated on
Was this page helpful?
Next to read:
Scanning limitsDiscard Changes
Do you want to discard your current changes and overwrite with the template?
Archive Synced Block
Message
Create new Template
What is this template's title?
Delete Template
Message
