Understanding Overe Assess & Overe Protect App Permissions

Both Overe Assess and Overe Protect offer comprehensive security solutions for Microsoft 365 environments. However, each service operates with different levels of permissions and capabilities, catering to different stages of security management. Below is a breakdown of how these two services differ and what permissions are required to make them function optimally.

Overe Assess: Limited Permissions, Rapid Security Assessment

Overe Assess is designed to give MSPs and businesses a quick and insightful look into the security posture of their Microsoft 365 environment, using a lower set of permissions. It is an excellent tool for baseline security assessments without the need for heavy administrative access.

Key Permissions for Overe Assess:

Permission	Area	What it is for
Directory.Read.All	Posture assessment	Read users lists to identify risky accounts.
SecurityEvents.Read.All	Posture assessment	Access secure scores for posture assessment.
Application.ReadWrite.OwnedBy	Management	Allows Overe to remove its own application when offboarding a tenant.
Organization.Read.All	Posture assessment	Read licensing information to assess security posture.
AuditLog.Read.All	Posture assessment	Read user registration details for security posture assessment.

These permissions are focused on providing insights into:

MFA usage and misconfigurations
Microsoft security policies
External app integrations
Inactive accounts

While Overe Assess helps you understand potential risks, its ability to mitigate these risks is limited without the higher-level permissions and functionalities that come with Overe Protect (Free 14-day trial)

Overe Protect: Full-Scale SaaS Security with Advanced Permissions

Overe Protect is the premium offering that goes beyond assessment by implementing security policies and automatically responding to threats in real time. It requires a broader set of permissions to provide the necessary oversight and automated remediation for your Microsoft 365 environment.

Key Permissions for Overe Protect:

Permission	Area	What it is for
Exchange.ManageAsApp	Policies	Mange policy controls related to Exchange Online.
Policy.Read.All	Policies	Verify policies are being applied as expected.
Policy.ReadWrite.ConditionalAccess	Policies	Used by policy controls that manage Microsoft Conditional Policies.
Policy.ReadWrite.Authorization	Policies	Required by the policy control managing the application consent settings.
Policy.ReadWrite.AuthenticationMethod	Policies	Needed by the policy controls related to MFA.
Policy.ReadWrite.ConsentRequest	Policies	Required by the policy control managing the user application consent settings.
Application.ReadWrite.All	Policies	Used by policy controls dealing with app permissions. Also used to uninstall Overe itself from the tenant when offboarding a Protect integration.
Directory.Read.All	Posture assessment, Policies	Used for the admin users application consent request approval policy control.
Domain.ReadWrite.All	Policies	Used to manage the Password expiration and validity policy control.
Organization.Read.All	Posture assessment, Policies	Used by the policy controls related to Exchange Online related Policy controls. Also to retrieve licensing information for license assessment.
Sites.Manage.All	Posture assessment,	Access links expiration time.
User.ReadWrite.All	Remediation	Used in remediation to disable accounts and revoke sessions.
AuditLog.Read.All	Anomalies, Posture assessment	Review audit logs for a detailed history of user actions, making it easier to trace back malicious activity. Read user registration details for security posture assessment.
ActivityFeed.Read	Anomalies	Review audit logs for a detailed history of user actions, making it easier to trace back malicious activity.
ActivityFeed.ReadDlp	Anomalies	Review audit logs for a detailed history of user actions, making it easier to trace back malicious activity.
ServiceHealth.Read	Anomalies	Review audit logs for a detailed history of user actions, making it easier to trace back malicious activity.
SecurityEvents.Read.All	Posture assessment	Access secure scores for posture assessment.
Directory.AccessAsUser.All	Future use
MailboxSettings.ReadWrite	Future use
Reports.Read.All	Future use
SecurityIncident.Read.All	Future use
UserAuthenticationMethod.ReadWrite.All	Future use
DeviceManagementApps.ReadWrite.All	Future use
DeviceManagementManagedDevices.ReadWrite.All	Future use
DeviceManagementConfiguration.ReadWrite.All	Future use
DeviceManagementServiceConfig.ReadWrite.All	Future use
AiEnterpriseInteraction.Read.All	Future use
IdentityRiskEvent.Read.All	Future use
SecurityAlert.Read.All	Future use
SecurityIdentitiesHealth.Read.All	Future use
ThreatIntelligence.Read.All	Future use

These extended permissions unlock features such as:

Real-time anomaly and adversarial behavior detection
Automated policy enforcement (e.g., MFA enforcement, user lockdowns)
Continuous monitoring of connected apps and devices
Response to identified threats by automatically adjusting security settings

How to re-consent to Microsoft Permissions

Some scenarios might require you to re-consent the permissions granted to the Overe app. Find out how to complete this process in the following article: Giving consent to missing Microsoft permissions.

Conclusion: Tailoring Permissions to Your Needs

Overe Assess is a lightweight, limited-permission service that offers essential insights into your Microsoft 365 environment. It's an excellent tool for quickly identifying security gaps without requiring heavy administrative privileges.

On the other hand, Overe Protect provides full-scale security management, including automated threat detection and response. With its advanced permissions, it allows MSPs to not only identify risks but also take immediate actions to mitigate them, ensuring a secure and compliant Microsoft 365 environment.

For those just getting started, Overe Assess offers a valuable entry point, but upgrading to Overe Protect ensures comprehensive protection with minimal manual intervention.