> For the complete documentation index, see [llms.txt](https://docs.stoik.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stoik.io/email-security/email-security-setup-microsoft-o365/which-microsoft-365-permissions-are-required-to-activate-email-security.md). # Which Microsoft 365 permissions are required to activate Email Security? To allow Stoïk to analyze emails and Microsoft 365 accounts, detect threats, and act quickly in the event of an incident, the following Microsoft permissions must be granted during the integration. These permissions are only used to protect your organization. | Permission | Usage | | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | | Read all audit log data | Allows reading all audit logs across the organization for investigation and monitoring. | | Read audit logs data from all services | Allows the app to read audit logs from all Microsoft 365 services for threat detection and compliance. | | Read and write mail in all mailboxes | Grants full read/write access to mail across every user mailbox (used for scanning, remediation, or actions on malicious emails). | | Read and write all user mailbox settings | Allows modifying mailbox settings (inbox rules, signatures, forwarding…) for all users. | | Read your organization’s conditional access policies | Lets the app read Conditional Access configuration for audit or analysis of security posture. | | Read all usage reports | Allows accessing organization-wide usage and activity reports (M365 usage analytics). | | Read metadata and detection details for all emails in your organization | Allows the app to access email metadata (headers, detections, threat indicators) without accessing message bodies. | | Read all users’ full profiles | Grants full read access to users’ directory profiles (name, job info, attributes…). | | Read and write all users’ authentication methods | Allows modifying users’ authentication methods (MFA settings, phone, email…). | | Sign in and read user profiles | Allows the app to sign in as a user and access basic profile data. | | Read and write all password profiles and reset user passwords | Allows resetting or updating passwords for all users — required for post-incident remediation. | | Revoke all sign in sessions for a user | Allows the app to immediately revoke all active user sessions — used for immediate containment. | | Read activity data for your organization | Allows Stoïk to read activity feed events in Microsoft 365 to detect suspicious actions or anomalies related to user activity. | | Read all applications | Allows the app to read all applications and service principals in the directory — used to analyze configuration and identify anomalies. | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stoik.io/email-security/email-security-setup-microsoft-o365/which-microsoft-365-permissions-are-required-to-activate-email-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.