Permissions
For the Zation FinOps Platform to read your usage and cost data and compute recommendations, it needs defined permissions in your Microsoft environment. The Platform adheres strictly to the principle of least privilege — every scope is read-only, and Zation never requests access to message content, files, chat data, or sign-in event details.
Four consent surfaces may be involved, in this order:
- Enterprise app — Client Auth — a multi-tenant Microsoft Entra ID app for portal sign-in. Required for every customer, including customers who only use Zation for Cloud Solution Provider (CSP) billing.
- GDAP — Granular Delegated Admin Privileges for CSP customers.
- Microsoft 365 — Graph application permissions — required only if you enable the Microsoft 365 or Intune modules.
- Azure — ARM service principal roles — required only if you enable the Azure module.
1. Enterprise app — Client Auth
A single multi-tenant application registration owned by Zation. Every customer consents to this app once so their users can sign in to the Platform with their existing Microsoft work account. This consent is required even for customers who only use Zation Platform for CSP billing and have not enabled any data-collection module for Microsoft 365 or Azure.
| Permission | Type | Purpose |
|---|---|---|
openid | Delegated | Issues the sign-in token. |
profile | Delegated | Reads display name and object ID from the token. |
User.Read | Delegated | Lets the portal fetch the signed-in user's basic profile on /me. |
Only a Global Administrator can grant tenant-wide consent. Once granted, any regular user from your tenant can sign in to the Platform — no re-consent needed.
2. GDAP — for CSP customers
When Zation acts as your CSP partner for Microsoft 365 licenses, license-administration tasks run through Granular Delegated Admin Privileges (GDAP). This replaces the older Delegated Admin Privileges (DAP) model, deprecated by Microsoft since 2024.
If your tenant still has a DAP connection, Zation will migrate it to GDAP during onboarding. New customer tenants no longer accept DAP.
GDAP properties:
- Granular: only the roles Zation needs — never Global Administrator.
- Auditable: every admin action is logged in the customer audit log.
The specific Entra ID roles Zation requests through GDAP are kept to the minimum required for CSP license administration and are reviewed with you during onboarding.
3. Microsoft 365 — Graph application permissions
Requested when you enable the Microsoft 365 or Intune modules. Granted via
admin consent on a separate enterprise application. Every scope is a .Read
scope — Zation never holds write access on Microsoft Graph.
| Permission | Type | Purpose |
|---|---|---|
Directory.Read.All | Application | List users and their basic profile (department, job title, usage location), admin roles, groups, and shared mailboxes. Powers the directory, license-assignment, and security-posture views. |
Organization.Read.All | Application | Read the tenant's subscribed SKUs and consumed-vs-purchased license counts. |
Reports.Read.All | Application | Aggregated 30-day usage counters per user (Outlook, Teams, SharePoint, OneDrive, Copilot) for the Adoption module. |
AuditLog.Read.All | Application | Read the lastSignInDateTime per user to detect dormant accounts. No sign-in event details are stored. |
UserAuthenticationMethod.Read.All | Application | Read MFA registration state per user. Surfaced as a single yes/no flag. |
Device.Read.All | Application | Read Microsoft Entra ID device objects (joined / registered devices). |
DeviceManagementManagedDevices.Read.All | Application | Read Intune-managed device inventory for device ownership and activity |
TeamsUserConfiguration.Read.All | Application | Read per-user Teams configuration (calling and conferencing settings) for the Teams view. |
CallRecords.Read.All | Application | Read Teams call-record metadata (call duration, participant count) for the calling-quality and adoption views. No call audio or transcripts are read. |
4. Azure — ARM service principal roles
Requested when you enable the Azure module. A Zation service principal is granted the following built-in Azure roles at the subscription or management-group scope you choose. No data inside any resource is accessed.
| Role | Purpose |
|---|---|
Reader | Read-only inventory of subscriptions, resources, SKUs, locations, and tags. Also covers Advisor recommendations. |
Cost Management Reader | Read usage and cost data. Powers the cost charts and savings views. |
Monitoring Reader | Read resource utilization metrics (CPU, memory, network, disk) used for right-sizing. |
Log Analytics Reader | Read Log Analytics workspace data for diagnostics and utilization analysis. No log content is exported. |
Backup Reader | Read Recovery Services vault inventory and backup-policy metadata. Powers the backup-cost and protection-coverage views. |
Reservations Reader | Read Reserved Instance (RI) inventory and utilization across your billing scope. |
Savings plan reader | Read savings-plan inventory and utilization. |
Carbon Optimization Reader | Read Microsoft Cloud for Sustainability emissions data per resource for the GreenOps module. |
Reservation Reader and Savings plan reader need to be assigned to different permission providers. Please check out our provided PowerShell Script at: platform.zation.io → Setup
What Zation does not require
- No write access to any resource — Zation cannot create, change, or delete anything in your tenant.
- No mail, calendar, or contact data —
Mail.Read,Calendars.Read, andContacts.Readare never requested. - No file or chat content —
Files.Read,Chat.Read, andChannelMessage.Read.Allare never requested. - No Teams call audio or transcripts — only call-record metadata.
- No service principals with client secrets are created in your tenant.
- No raw sign-in event logs — only the
lastSignInDateTimeaggregate per user.
For data residency, encryption, and the full field-by-field data catalogue, see Security.