User Guide:

Permissions Setup

Recommended Permissions

Hawk requires the Microsoft Graph, Azure and M365 permissions to function properly. Microsoft Graph permissions must be consented by an Administrator before an analyst can use Hawk. Azure and M365 permissions can be assigned individually or to a group (recommended):

Recommended Graph Permissions assigned to the PowerShell Application

  • Directory.Read.All: Read directory data
  • DeviceManagementServiceConfig.Read.All: Read Microsoft Intune configuration
  • AuditLog.Read.All: Read audit log data
  • User.Read.All: Read all users' profiles
  • IdentityRiskEvents.Read.All: Read all identity risk event information
  • IdentityRiskyUser.Read.All.: Read all identity risky user information

Recommended Azure Permissions

  • Global Reader: Can read everything that an Global Admin can read but can't update anything

Recommended M365 Permissions

  • User Options: Enables admins to view the Outlook on the web options of users in the organization
  • View-Only Audit Logs: Search the administrator audit log and view the results
  • View-Only Configuration: View all of the organization and mail flow (non-recipient) settings in the organization
  • View-Only Recipients: View recipient properties and run message trace

Administrator Consent for Microsoft Graph Permissions

Connect to Microsoft Graph to consent to required permissions:

Connect-MGGraph -Scopes "User.Read.All","Directory.Read.All", "DeviceManagementServiceConfig.Read.All", "AuditLog.Read.All", "IdentityRiskEvent.Read.All", "IdentityRiskyUser.Read.All"

Permissions Assignment and Security Considerations

  • Practice of least privilege - The above are recommendations using the default role groups and built in permissions. Granular access can be achieved by creating custom role groups and leveraging conditional access.
  • Access reviews. If continued access using the Microsoft graph isn't required, revoke the access upon completion of the investigation or use of Hawk.


Spread Your Wings


Go Back

Review the previous section: Hawk Installation.

Circle Back
Up Next

Survey the territory: Begin your Tenant Investigation.

Fly Ahead