public/Get-ZtGraphScope.ps1
<# .Synopsis Returns the list of Graph scopes required to run the Zero Trust Assessment. .Description Use this cmdlet to connect to Microsoft Graph using Connect-MgGraph. .Example Connect-MgGraph -Scopes (Get-ZtGraphScope) Connects to Microsoft Graph with the required scopes to run Zero Trust Assessment. #> Function Get-ZtGraphScope { [CmdletBinding()] param() # Any changes made to these permission scopes should be reflected in the documentation. # /zerotrustassessment/website/docs/sections/permissions.md # Default read-only scopes required for the assessment. $scopes = @( #IMPORTANT: Read note above before adding any new scopes. 'AuditLog.Read.All' 'Directory.Read.All' 'Policy.Read.All' 'Reports.Read.All' 'DirectoryRecommendations.Read.All' 'PrivilegedAccess.Read.AzureAD' 'IdentityRiskEvent.Read.All' 'RoleEligibilitySchedule.Read.Directory' 'RoleManagement.Read.All' 'RoleEligibilitySchedule.ReadWrite.Directory' 'Policy.Read.ConditionalAccess' 'UserAuthenticationMethod.Read.All' 'CrossTenantInformation.ReadBasic.All' ) $scopes += Get-EERequiredScopes -PermissionType Delegated return $scopes | Sort-Object -Unique } |