RAIDEN connects to your Microsoft 365 tenant via two Microsoft APIs. This page explains every permission requested, how it is used, and how your data is handled.
Read-only permissions
These permissions allow RAIDEN to monitor your environment. They are read-only — RAIDEN cannot modify your tenant data using these permissions.
Microsoft Graph
| Permission | Purpose |
|---|
AuditLog.Read.All | Read sign-in and audit logs |
Directory.Read.All | Read users and groups |
User.Read.All | Read user profiles |
SecurityEvents.Read.All | Read Defender security alerts |
IdentityRiskEvent.Read.All | Read Entra ID risk events |
Policy.Read.All | Read Conditional Access policies |
Mail.Read | Enrich investigations with email context (optional) |
Office Management Activity API
| Permission | Purpose |
|---|
ActivityFeed.Read | Read the M365 unified audit log event stream |
Write permissions
These permissions are requested during setup but are only invoked automatically if allowed in settings. RAIDEN only uses them when you explicitly click a Response Action button — for example, to revoke sessions for a compromised account.
Write permissions are only triggered automatically by RAIDEN if you enable these toggles in settings. You can choose to enable just account disabling or all available response actions. Later, we’ll add more granular controls for specific response action types.Auto-remediate on high-confidence verdictWhen the RAIDEN AI agent concludes a case is a True Positive with High or Medium confidence and High or Critical severity, it automatically records a remediation for the affected user. This suppresses future detections for that user until a new threat is identified. Requires running an AI investigation on the case.Auto-disable account on high-confidence verdictWhen a True Positive verdict is reached, RAIDEN automatically disables the user’s account. For cloud-only accounts: sets accountEnabled=false and creates a Conditional Access block. For AD-synced accounts: creates a Conditional Access block only — you must also disable the on-prem account separately. Requires User.EnableDisableAccount.All and Policy.ReadWrite.ConditionalAccess app permissions.
| Permission | Response action |
|---|
User.RevokeSessions.All | Revoke all active sessions for a compromised user |
User.EnableDisableAccount.All | Disable or re-enable a compromised account |
Policy.ReadWrite.ConditionalAccess | Create a Conditional Access block policy |
MailboxSettings.ReadWrite | Read and delete malicious inbox rules |
Data handling
- All audit log data is processed within your RAIDEN tenant. No data is shared across tenants.
- RAIDEN does not store email content — only metadata used for investigation context.
- Audit log events are retained for 90 days by default.
Questions?
Email support@raidenhq.com with any questions about permissions or data handling. 
