When you run the permissions script during the installation process, you give the Microsoft Graph permissions below to a Managed Identity used by the Azure Functions in the Managed Resource Group.

• Directory.Read.All, used to read user and license information​

• AuditLog.Read.All, used to get user last signin information​

• Domain.Read.All, used to get friendly names for tenantid​

• Reports.Read.All, used to read user MFA registration information

• Policy.Read.All, used to read signin logs and conditional access policies

The Managed Identity holds these permissions: