This KB will help you understand why CloudSOC requires Global Administrator (GA) permissions to activate the Office 365 Securlet and what transpires during the activation process as it relates to the permissions that are assigned to the CloudSOC app by Microsoft.
Office 365 Securlet
Microsoft 365 Subscription
You are deploying the Office 365 Securlet in CloudSOC and have concerns about providing Global Administrator permissions to activate the Securlet.
During the Office 365 Securlet activation, the CloudSOC System Administrator leverages a Global Administrator account in Microsoft 365 to assign the appropriate app-based permissions that CloudSOC will use for interaction with Microsoft’s APIs.
Note: The authentication token generated during activation does not retain all of the GA permissions, just the necessary administrative permissions required by CloudSOC during the Office 365 activation.
Note: The Global Administrator permissions are only required during the activation process. The GA user account can be disabled after the activation is completed due to the integration using app-based permissions.
Microsoft 365 includes many features and apps in its service that require different administrative permissions for CloudSOC to manage them. Here are two additional Microsoft links with helpful information on how the app registration process works with Microsoft: