Application Discovery connects to Microsoft Entra ID to identify which applications are accessed through SSO. We understand that visibility into permissions and data handling is important.
The following FAQ provides a clear breakdown of what access is granted, what is not accessible, and how SysAid protects your data.
What permissions does Application Discovery use?
To identify applications accessed through Microsoft Entra ID SSO, Application Discovery uses the Microsoft Entra ID permission AuditLog.Read.All.
This permission provides read-only access to Entra ID audit and sign-in logs only.
It does not provide access to:
Application-internal audit logs
Network traffic or telemetry
The contents of applications
User data stored within applications
In simple terms, Application Discovery can detect a sign-in and identify which application was accessed. It cannot see what users do inside those applications or any data they interact with.
The access is:
Limited and read-only
Restricted to Entra ID audit and sign-in logs
Required to accurately identify applications accessed via SSO
SysAid does not store or misuse sensitive identity telemetry.
What user and activity data does Application Discovery access?
Application Discovery can access the following log data from Entra ID:
Sign-in events, including timestamp, success or failure, and authentication method (such as MFA)
Directory audit events, such as changes to users, groups, or enterprise applications
These logs may contain certain identifiers, such as user IDs or sign-in locations. However, SysAid processes only what is strictly required.
For Application Discovery, the only user-specific value used is an anonymized user identifier, and it is used solely to calculate application usage.
Does Application Discovery have access to security configurations or policies?
No.
The permission used does not provide access to security configurations or policies, including:
MFA enforcement settings
Conditional access rules
Security policies
It can only indicate whether MFA was used during a specific sign-in event, as recorded in the audit log.
Is this permission tenant-wide?
Yes.
The AuditLog.Read.All permission is tenant-wide by Microsoft design and cannot be scoped more narrowly.
Tenant-wide visibility is necessary for Application Discovery to accurately identify all applications accessed via Entra ID SSO across the organization.
Does Application Discovery have administrative or write access?
No.
The permission is strictly:
Read-only
Non-administrative
Without the ability to modify users, groups, or roles
Application Discovery cannot change or manage identity data in any way.
How does SysAid handle potentially sensitive data?
Entra ID audit logs may contain personal identifiers. SysAid treats this data in accordance with applicable privacy regulations and security best practices.
Please note:
This is the least invasive permission available from Microsoft to enable application discovery.
There is currently no more restrictive alternative for this use case.
Application Discovery is designed to provide visibility into application usage while minimizing data exposure and maintaining strong security standards.