![LOGO_STOIK_WHITE.png]](https://help.stoik.io/hs-fs/hubfs/LOGO_STOIK_WHITE.png?height=40&name=LOGO_STOIK_WHITE.png){kind=logo}
Which Microsoft 365 permissions are required to activate Email Security?
To allow Stoïk to analyze emails and Microsoft 365 accounts, detect threats, and act quickly in the event of an incident, certain Microsoft permissions must be granted during the integration.
These permissions are strictly limited to the needs of the Stoïk Email Security module and are only used to protect your organization.
| Permission | Usage |
|---|---|
| Read all audit log data | Allows reading all audit logs across the organization for investigation and monitoring. |
| Read audit logs data from all services | Allows the app to read audit logs from all Microsoft 365 services for threat detection and compliance. |
| Read and write mail in all mailboxes | Grants full read/write access to mail across every user mailbox (used for scanning, remediation, or actions on malicious emails). |
| Read and write all user mailbox settings | Allows modifying mailbox settings (inbox rules, signatures, forwarding…) for all users. |
| Read your organization’s conditional access policies | Lets the app read Conditional Access configuration for audit or analysis of security posture. |
| Read all usage reports | Allows accessing organization-wide usage and activity reports (M365 usage analytics). |
| Read metadata and detection details for all emails in your organization | Allows the app to access email metadata (headers, detections, threat indicators) without accessing message bodies. |
| Read all users’ full profiles | Grants full read access to users’ directory profiles (name, job info, attributes…). |
| Read and write all users’ authentication methods | Allows modifying users’ authentication methods (MFA settings, phone, email…). |
| Sign in and read user profiles | Allows the app to sign in as a user and access basic profile data. |
| Read and write all password profiles and reset user passwords | Allows resetting or updating passwords for all users — required for post-incident remediation. |
| Revoke all sign in sessions for a user | Allows the app to immediately revoke all active user sessions — used for immediate containment. |
| Read activity data for your organization | Allows Stoïk to read activity feed events in Microsoft 365 to detect suspicious actions or anomalies related to user activity. |