Permissions Aegis Eight requests

The short version

• Read-only. We cannot create, modify, or delete anything in your tenant.
• No access to your content. We cannot read your emails, OneDrive or SharePoint files, or Teams messages.
• Your data never trains AI. We never use customer data to train any machine-learning model — ours or anyone else’s.
• Stored in Australia. Customer scan data is stored in Australia by default; dedicated deployments in another region are available on request.
• Verifiable evidence. Every finding is bound to a hash of the exact data we read, so an auditor can confirm it independently.
• Revoke anytime. Removing consent immediately stops all access.

Why we need these permissions

Each permission maps to a specific ASD Essential Eight control. Aegis Eight requests the minimum set of read scopes required to score your maturity automatically — instead of relying on a questionnaire. The detailed breakdown below names every scope, what it reads, and which control it supports.

For the wider operational picture — data flows, retention, tenant isolation, sub-processors — see the Security & Privacy page.

We preserve evidence, not just a score

Most Essential Eight tools are questionnaire engines with a few API checks bolted on. Aegis Eight is different: every Graph response that informs a finding is captured, sha256-hashed, and the hash is stamped into the finding itself.

The result is a cryptographically verifiable evidence chain — an auditor, cyber insurer, or regulator can confirm that the data we scored is exactly what your tenant returned, without taking our word for it. See how it works in the evidence-chain section of the whitepaper.

Detailed permission breakdown

Every permission below is read-only.

Opt-in modules for broader Essential Eight coverage

These permissions are grouped into optional capability modules, each backed by its own read-only Microsoft Entra application registration. The core scan above uses a single core app; each module below is a separate app you consent to only if you enable it (per ADR-0010). Modules you do not enable are never granted at the Microsoft layer. Enabling a module later triggers its own admin-consent screen — never bundled with the core app.

Data-handling promises

• No machine-learning training. We never use customer Microsoft Graph data to train any ML model — ours, a vendor’s, or a third-party’s. No exceptions, including embeddings and retrieval indexes.
• Australian data residency. Customer scan data is stored in Australia by default; dedicated deployments in another region are available on request.
• 90-day retention. Full scan data is retained for 90 days; only summary plus response hash beyond that. Per-tenant overrides available on request.
• Hash-bound evidence chain. Every Graph response that informs a finding is sha256-hashed and the hash is stamped into the finding. An assessor can verify a stored body matches what we scored, without trusting our word for it. Details in the Security & Privacy whitepaper.
• No cross-tenant correlation. Findings derived from one customer’s tenant are never combined with another customer’s data in the same query, report, or dashboard.
• Revocation purges within 30 days. A Global Administrator can remove Aegis Eight from your tenant at any time and additionally request full data deletion.

Full details, sub-processor list, and certification posture in the Security & Privacy whitepaper.

Revoking consent

A Global Administrator can remove Aegis Eight’s access at any time via Microsoft Entra admin centre → Enterprise applications → Aegis Eight → Properties → Delete. Revocation is immediate from Microsoft’s side: any subsequent API call from Aegis Eight fails authorization and no new tenant data can be collected. Aegis Eight detects the loss of access on the next scan attempt and stops. You can additionally request deletion of any data already collected (purged within 30 days — see the Security & Privacy whitepaper).