Microsoft Exchange Online Message Trace documentation

[NeuvilleM]

Please update the respective documentation to contain the following information:

The App Registration should contain the following API permissions:

• Office 365 Exchange Online > ReportingWebService.Read.All (application) https://learn.microsoft.com/en-gb/previous-versions/office/developer/o365-enterprise-developers/jj984325(v=office.15)#specify-the-permissions-your-app-requires-to-access-the-reporting-web-service

The supported roles are Global Reader and Security Reader according to the Microsoft documentation. https://learn.microsoft.com/en-gb/previous-versions/office/developer/o365-enterprise-developers/jj984325(v=office.15)#assign-azure-ad-roles-to-the-application

https://github.com/elastic/integrations/tree/efc03f6d264ee8287587f19eee7e83ed66ba94e4/packages/microsoft_exchange_online_message_trace#service-app-configuration

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

@NeuvilleM The text in the documentation includes "NOTE: Make sure that at least one role includes the ReportingWebService.Read.All permission. For detailed steps, see Microsoft's Assign Azure AD Roles to Users topic." and the Global Reader and Security Reader are listed in the roles above that sentence.

Can you clarify what you think is missing and should be added?

[NeuvilleM]

@efd6 The text refers to a role while it's the app registration that (also) requires the permission. See the following screenshots for reference.

I even doubt that the application itself must be granted one of the roles, but currently not verified. Following the procedures as in the docs, it only worked after assigning the permissions (application permission should be sufficient) as in the screenshot.

[efd6]

@NeuvilleM Thanks. Before I make a change it would be good to confirm the minimum set of permissions.