Customer would like to confirm which permission is granted for Symantec Auto-Remediation agent in Office365.
Auto-Remediation agent requires to have Directory.Read.All permission. It is minimum requirement to perform “Permanent Delete” action.
Requirements:
Reference: https://docs.microsoft.com/en-us/graph/api/domain-list?view=graph-rest-1.0
Reference: https://docs.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0
To satisfy both requirements, Auto-Remediation agent needs Directory.Read.All permission as least privilege.