Everything Aristo reads, why, and its real grant state — the whole security review on one page. Nothing is installed server-side in your tenant; consent is one click by your admin in Microsoft Entra, and revocable there at any time. States shown reflect your tenant the moment it connects.
| Permission | Why, in plain words | State |
|---|---|---|
Reports.Read.All | Copilot usage signals — aggregate, k-anonymous (five or more), never individuals. | grants on your tenant |
ServiceMessage.Read.All | Your own Message Center — which Copilot capabilities are landing in your tenant. | grants on your tenant |
User.Read.All | Department grouping so leaders see teams, never individuals. | grants on your tenant |
Mail.Read (OPTIONAL, off by default) | Only if inbox-reactive help is enabled later; restricted by an Exchange Application Access Policy. | grants on your tenant |
Expansion consents (never requested by default — named only when you want that plane lit): Organization.Read.All for the license/SKU inventory engine · SecurityEvents.Read.All for the Secure Score pillar · the M365 Cost Management export for Cowork credit consumption · read-only Reader on an Azure subscription for the Azure AI / Foundry plane.
Grant the read-only consent →
Requires a Global Administrator. Entra shows every permission before anything is granted.
| Environment | State | Plainly |
|---|---|---|
| Microsoft 365 commercial cloud | supported today | The Graph usage-report surfaces Aristo reads are fully available. |
| Display-name concealment tenants | supported — counted mode | Your privacy setting is honored: cold seats are COUNTED but never individually reached. |
| Multi-geo tenants | supported | Aggregate Graph reads work across geos. |
| GCC / GCC-High / DoD | roadmap | Government-cloud report APIs differ — we say so honestly rather than half-work. Ask us before piloting there. |
Forward this as-is; it carries the access list, the posture, and the consent link.