Configuring a read-only relationship
The minimum permissions to set up a read-only environment are:
Global Reader
Application Administrator
Global Reader provides Augmentt with read access to tenant configuration, users, policies, licenses, and security data. Application Administrator is required so Augmentt can deploy its enterprise application into the customer tenant — without it, there is nothing in the tenant for Augmentt to authenticate against.
This is the least-privilege configuration Augmentt supports. The Magic Link flow requests a broader set of permissions and cannot be used for a read-only deployment.
Setting up the relationship
Create a granular admin (GDAP) relationship with the customer in Microsoft Partner Center and assign only the Global Reader and Application Administrator Entra roles. A customer Global Administrator must approve the relationship before Augmentt can connect.
Once approved, sign in to the Augmentt Portal, go to Configuration > Integrations, and connect Microsoft 365 Cloud Service Provider (CSP). On first connection, Augmentt deploys its enterprise application into the customer tenant. After deployment, the integration runs against Global Reader for ongoing data collection.
Keep Application Administrator in the relationship after the initial connection. It is needed again if Augmentt requests new scopes and the enterprise application needs to be reconsented.
For details on creating admin relationships, see Microsoft's GDAP documentation.
What this configuration supports
Secure posture score and Graph API–based posture items
User, group, license, and role inventory
Risk detections and threat alerts
Reporting across the connected tenant
What this configuration does not support
Features that require write scopes will not function:
Engage password resets and user actions
Conditional Access policy creation and editing from Augmentt
MFA enforcement workflows
Posture items backed by Exchange Online PowerShell (anti-spam, DLP, safe attachment, shared mailbox details)
To enable these later, replace the relationship with the full GDAP role set or connect the tenant through the Magic Link.