Documentation Index

Fetch the complete documentation index at: https://documentation.sysaid.com/llms.txt

Use this file to discover all available pages before exploring further.

Application Discovery Permissions & Data Access Overview

Prev Next

Application Discovery helps your organization identify SaaS applications that are being accessed and used, so IT and software asset management teams can maintain an accurate application inventory, manage licenses, and reduce security risk.

Application Discovery can collect application usage signals through supported discovery methods, including:

  • Microsoft Entra ID, which identifies applications accessed through SSO.

  • SysAid Browser Extension, which identifies usage of supported SaaS applications from managed work browsers.

The information below explains what each discovery method can access, what it cannot access, and how SysAid handles the data.

Microsoft Entra ID

Use this section to understand what data Application Discovery accesses when connected to Microsoft Entra ID.

What permission does Application Discovery use for Microsoft Entra ID?

Application Discovery uses the Microsoft Entra ID permission AuditLog.Read.All.

This permission provides read-only access to Entra ID audit and sign-in logs. It is used to identify applications accessed through Microsoft Entra ID SSO.

This permission does not provide access to:

  • Application-internal audit logs

  • Network traffic or telemetry

  • The contents of applications

  • User data stored within applications

In simple terms, Application Discovery can detect that a sign-in happened and identify which application was accessed. It cannot see what users do inside those applications or any data they interact with.

What user and activity data does Application Discovery access from Entra ID?

Application Discovery can access log data from Entra ID, including:

Sign-in events, such as timestamp, success or failure, and authentication method

Directory audit events, such as changes to users, groups, or enterprise applications

These logs may contain certain identifiers, such as user IDs or sign-in locations. However, SysAid processes only what is required for Application Discovery.

For this discovery method, the only user-specific value used is an anonymized user identifier, and it is used only to calculate application usage.

Does Application Discovery have access to security configurations or policies?

No.

The Entra ID permission used by Application Discovery does not provide access to security configurations or policies, including:

MFA enforcement settings

Conditional access rules

Security policies

Application Discovery can only indicate whether MFA was used during a specific sign-in event, as recorded in the audit log.

Is the Entra ID permission tenant-wide

Yes.

The AuditLog.Read.All permission is tenant-wide by Microsoft design and cannot be scoped more narrowly.

Tenant-wide visibility is necessary for Application Discovery to identify applications accessed through Entra ID SSO across the organization.

Does Application Discovery have administrative or write access to Entra ID?

No.

The permission is strictly:

  • Read-only

  • Non-administrative

  • Unable to modify users, groups, roles, policies, or identity data

Application Discovery cannot change or manage identity data in any way.

How does SysAid handle potentially sensitive Entra ID data?

Entra ID audit and sign-in logs may contain personal identifiers. SysAid treats this data in accordance with applicable privacy regulations and security best practices.

Application Discovery uses the least invasive Microsoft permission available for this use case. There is currently no more restrictive Microsoft permission that supports the same application discovery capability.

Application Discovery is designed to provide visibility into application usage while minimizing data exposure and maintaining strong security standards.

SysAid Browser Extension

Understand what data Application Discovery accesses when your organization deploys the SysAid Browser Extension.

What is the SysAid Browser Extension used for?

The SysAid Browser Extension helps IT and software asset management teams understand which SaaS applications are being used in the organization.

It is used to support license management, application inventory, and security visibility by detecting usage of supported business SaaS applications from managed work browsers.

The extension is not intended to monitor employee productivity, evaluate individual performance, or track what users do inside applications.

Who controls whether the extension is installed?

The extension is installed and activated by your organization’s IT administrator through enterprise browser management policies for Chrome or Edge.

Your organization decides:

  • Whether the extension is deployed

  • Which managed browsers or devices receive it

  • Which user populations receive it

  • Whether reporting is active or paused

SysAid provides the service that receives and processes the data on behalf of your organization.

Can the extension run on a personal browser?

The extension is designed for managed work browsers deployed through enterprise browser policies.

It cannot run on a personal browser that has not been configured by the organization’s managed IT policy.

What does the extension collect?

The extension collects limited SaaS usage signals for supported applications in a curated application catalog.

It may collect:

  • The signed-in user’s corporate email

  • The application name

  • The application domain

  • A timestamp

  • The browser used, such as Chrome or Edge

  • The extension version

  • An internal detection method identifier used to improve detection quality

  • The OAuth provider used during SSO, such as Google or Microsoft, when detectable from the page

The extension uses this information to identify that a supported SaaS application was accessed or is actively being used.

How does the extension use the user’s email address?

The extension reads the email associated with the browser profile and validates that it is a corporate email address.

Personal email addresses, such as common consumer email domains, are rejected. If a corporate email cannot be validated, the extension remains inactive.

The corporate email is used to attribute SaaS usage signals to the correct employee record in the organization’s SysAid environment.

What types of SaaS usage can the extension detect?

The extension can detect usage of supported SaaS applications in the application catalog.

Detection may include:

  • Login detection, when the extension identifies that a user has signed in to a supported application

  • Active-session detection, when the extension confirms that the user is currently signed in while using a supported application

Examples of supported business SaaS applications may include tools such as Salesforce, Workday, Atlassian, Microsoft 365, ChatGPT, or Notion.

Does the extension collect passwords?

No.

The extension never reads, stores, or transmits password values.

It may check whether a password field exists on a page to help determine whether the page is a sign-in page, but it does not collect the password itself.

Does the extension collect page content?

No.

The extension does not record, store, or transmit the content of pages users visit.

It only reads the limited page information needed to detect whether the user is on a recognized SaaS application and, when relevant, whether the email shown on the page matches the confirmed corporate email.

Does the extension collect form values?

No.

The extension does not capture values typed into forms.

The only exception is confirming whether an email value matches the user’s confirmed corporate email. This helps ensure that usage is attributed to the correct user, especially on shared machines.

Does the extension track browsing history?

No.

The extension ignores sites that are not part of the curated SaaS application catalog.

Visits to unrelated websites are not recorded, transmitted, or stored.

Does the extension track personal browsing?

The extension is designed to detect business SaaS usage, not personal browsing.

If a user signs in to a SaaS application with a personal, non-corporate account, the extension is designed to suppress that event where personal-versus-corporate account verification is possible.

What is the data used for?

The data helps your organization understand:

  • Which SaaS applications are being used

  • How many employees use each application

  • Whether licenses are being used, underused, or overallocated

  • Whether unauthorized or unmanaged SaaS applications may pose a security or compliance risk

The data is not used to evaluate employee performance, monitor productivity, or track time spent inside an application.

Where is extension data sent?

When the extension records a SaaS usage event, the data is sent over HTTPS to:

  • The organization’s SysAid tenant

  • A SysAid-managed sync service that helps keep the organization’s SysAid tenant current

Both endpoints are authenticated using a per-customer token configured by the organization’s IT administrator.

Without this token, the extension does not transmit data.

Can an IT administrator pause extension reporting?

Yes.

An IT administrator can disable reporting without uninstalling the extension.

When reporting is paused, the extension stops recording events, and the extension pop-up displays a visible message indicating that reporting has been paused by the IT administrator.

Can users see what the extension has detected?

Yes.

Users can click the extension icon to open a pop-up that lists the SaaS applications detected for them.

This helps make the extension’s activity visible and transparent.

Can users uninstall the extension?

This depends on the organization’s browser management policy.

If the organization allows users to remove managed extensions, users may uninstall them from their browser. If the extension was installed through a managed policy that prevents removal, users should contact their IT team.

How are data deletion or export requests handled?

Because the organization controls the deployment and use of the extension, requests to access, correct, export, or delete personal data should be made through the organization’s normal data request process.

This may be handled by IT, HR, or the organization’s Data Protection contact.

The organization can then act on the request in SysAid or work with SysAid Support if assistance is needed.

How is extension data secured?

Data sent between the extension and SysAid is encrypted in transit using TLS.

Authentication uses a per-customer token issued to the organization during deployment. The token is not user-specific and does not contain end-user personal data.