When you connect Atera to Microsoft Entra ID, the Atera application requests a set of permissions (OAuth 2.0 scopes) from your tenant. This article explains each permission Atera requests, what it allows, and when it is actually used.
For setup instructions, see Sync users and contacts from Microsoft Entra ID.
About this article
This article is intended for IT security, compliance, and admin reviewers who need to understand exactly what Atera is asking for during the Entra ID OAuth consent flow — either before approving the integration, or as part of an internal audit.
For each permission, you'll find:
- The permission name as it appears in the consent screen
- The Microsoft Graph scope
- A description taken directly from Microsoft's official documentation
Some permissions appear twice in Atera's request — once as an Application permission and once as a Delegated permission. This is because different parts of the platform operate in different authentication contexts:
- Delegated permissions are used when a signed-in user is present.
- Application permissions are used when Atera or Robin acts autonomously in the background without an active user session.
Where a permission is requested as both types, the description below uses the Application permission text from Microsoft's documentation, as this is the more permissive of the two. Where a permission is only requested as a Delegated permission, the Delegated description is used.
Important: understanding when permissions are invoked
Granted does not mean active
The permissions listed in this article are granted at the point of authorizing the Atera Entra ID application — regardless of which Atera features are subsequently enabled. The full set of OAuth scopes is registered with Entra ID even if only a subset of Atera functionality is in use, such as user sync alone.
Granting these scopes does not, by itself, cause any action to be taken in your Entra ID environment. The permissions are a ceiling, not an instruction.
Write permissions and Robin (IT Autopilot)
Read/write and write-capable scopes will not be invoked unless Robin is enabled in your Atera environment. When Robin is enabled, these permissions are only exercised in two scenarios:
- As part of an automated workflow that Robin has been configured to execute (for example, a triggered onboarding or offboarding sequence).
- In direct response to an explicit instruction from a user interacting with Robin (for example, a technician or end-user asking Robin to reset a password or update a mailbox setting).
Robin will not take any action autonomously outside of these two contexts.
Effective permissions are bounded by your existing Entra ID access controls
The permitted actions within Entra ID are defined by the OAuth 2.0 scopes granted, but they are also strictly governed by the authorizing user's existing permissions in Entra ID.
If a user lacks the native Entra ID permission to perform an action — such as modifying another user's authentication methods, altering group membership, or updating mailbox settings — they will be unable to execute that action through Atera or Robin, even if the relevant OAuth scope has been granted.
In other words: the OAuth scope establishes what the application is allowed to request. The user's own role-based access within Entra ID determines whether that request will be honored.
Official Microsoft reference
The Scope and description values in the tables below are taken directly from Microsoft's official permissions reference. You can verify each scope at:
https://learn.microsoft.com/en-us/graph/permissions-reference
Permissions requested by Atera
User and identity permissions
| Permission | Scope | What it does |
|---|---|---|
| Sign in and read user profile | User.Read |
Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
| Read all users' basic profiles | User.ReadBasic.All |
Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions, and photo. |
| Read all users' full profiles | User.Read.All |
Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
| Read and write all users' full profiles | User.ReadWrite.All |
Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user. |
| Read and write access to user profile | User.ReadWrite |
Allows the app to read your profile. It also allows the app to update your profile information on your behalf. |
| Read and write all users' authentication methods | UserAuthenticationMethod.ReadWrite.All |
Allows the app to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. |
| Access directory as the signed-in user | Directory.AccessAsUser.All |
Allows the app to have the same access to information in the directory as the signed-in user. |
Directory and group permissions
| Permission | Scope | What it does |
|---|---|---|
| Read directory data | Directory.Read.All |
Allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user. |
| Read and write directory data | Directory.ReadWrite.All |
Allows the app to read and write data in your organization's directory, such as users and groups. It does not allow the app to delete users or groups, or reset user passwords. |
| Read and write all groups | Group.ReadWrite.All |
Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. |
| Manage apps that this app creates or owns | Application.ReadWrite.OwnedBy |
Allows the app to create other applications, and fully manage those applications (read, update, update application secrets, and delete), without a signed-in user. It cannot update any apps that it is not an owner of. |
| Read organization information | Organization.Read.All |
Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information. |
Mail and calendar permissions
| Permission | Scope | What it does |
|---|---|---|
| Read user calendars | Calendars.Read |
Allows the app to read events in user calendars. |
| Read and write calendars in all mailboxes | Calendars.ReadWrite |
Allows the app to create, read, update, and delete events of all calendars without a signed-in user. |
| Read and write all user mailbox settings | MailboxSettings.ReadWrite |
Allows the app to create, read, update, and delete users' mailbox settings without a signed-in user. Does not include permission to send mail. |
| Read and write mail in all mailboxes | Mail.ReadWrite |
Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. |
| Send mail as any user | Mail.Send |
Allows the app to send mail as any user without a signed-in user. |
| Maintain access to data you have given it access to | offline_access |
Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
Files and SharePoint permissions
| Permission | Scope | What it does |
|---|---|---|
| Have full access to all files user can access | Files.ReadWrite.All |
Allows the app to read, create, update, and delete all files the signed-in user can access. |
| Edit or delete items in all site collections | Sites.ReadWrite.All |
Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user. |
| Have full control of all site collections | Sites.FullControl.All |
Allows the app to create or delete document libraries and lists in all site collections without a signed-in user. |
Contacts permissions
| Permission | Scope | What it does |
|---|---|---|
| Have full access to user contacts | Contacts.ReadWrite |
Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. |
Reporting and admin permissions
| Permission | Scope | What it does |
|---|---|---|
| Read all usage reports | Reports.Read.All |
Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Microsoft Entra ID. |
| Read and write admin report settings | ReportSettings.ReadWrite.All |
Allows the app to read and update admin report settings, such as whether to display concealed information in reports, on behalf of the signed-in user. |
| Read all company places | Place.Read.All |
Allows the app to read company places (conference rooms and room lists) for calendar events and other applications, without a signed-in user. |
Device and endpoint permissions
| Permission | Scope | What it does |
|---|---|---|
| Read and write Microsoft Intune devices | DeviceManagementManagedDevices.ReadWrite.All |
Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high-impact operations such as remote wipe and password reset on the device's owner. |
| Read and write Cloud PCs | CloudPC.ReadWrite.All |
Allows the app to read and write the properties of Cloud PCs, without a signed-in user. |
