Permissions Reference
Complete breakdown of every permission Velnoro needs, who needs to grant it, and why.
This page is the single reference for every permission and credential Velnoro requires across all supported platforms. Use it to verify you have the right access before setting up a connection, or to answer your security team's questions about what Velnoro can and cannot do.
Before You Connect
Before setting up a connection, verify that the person performing the setup has the required roles.
Microsoft Power Platform
Velnoro connects to Microsoft through two separate APIs, both authenticated through a single Entra ID app registration that your organization controls.
Microsoft Graph API
| Permission | Type | Who Grants It | What Velnoro Does With It | Required? |
|---|---|---|---|---|
Organization.Read.All | Application | Azure Global Admin or Application Admin (via admin consent) | Reads your tenant name, ID, and verified domains to validate the connection | Yes |
User.Read.All | Application | Azure Global Admin or Application Admin (via admin consent) | Reads user profiles (display name, email, department, job title) for owner enrichment and department-level analysis on dashboards | Optional (recommended) |
Power Platform Inventory API
| Permission | Type | Who Grants It | What Velnoro Does With It | Required? |
|---|---|---|---|---|
ResourceQuery.Resources.Read | Delegated | An admin with the Power Platform Administrator or Global Administrator role completes a one-time OAuth consent flow | Reads the inventory of Power Platform resources: apps, flows, agents, environments. This is the same API the Power Platform Admin Center uses. | Yes |
Why delegated? The Power Platform Inventory API requires a user context. An admin signs in once during setup; Velnoro silently refreshes tokens for background scanning. The admin's Power Platform role determines what environments and resources Velnoro can see.
App Registration Requirements
Your Entra ID app registration also needs:
| Requirement | Purpose |
|---|---|
| Client ID | Identifies your app registration when requesting tokens |
| Client Secret | Authenticates token requests (stored encrypted in Velnoro with AES-256-GCM) |
Redirect URI (https://app.velnoro.com/api/connections/microsoft/callback) | Receives the authorization code during the Power Platform consent flow |
Who Needs What Role
| Task | Azure / Microsoft Role Required |
|---|---|
| Create the Entra ID app registration | Global Administrator or Application Administrator |
| Grant admin consent for API permissions | Global Administrator or Privileged Role Administrator |
| Complete the Power Platform authorization flow | Power Platform Administrator or Global Administrator |
| Day-to-day Velnoro usage (view dashboards, run scans) | No Microsoft role needed (Velnoro Owner or Admin role only) |
Verifying Your Access
- Check your Azure role: Go to Azure Portal > Entra ID > Users > find yourself > Assigned roles. You need Global Administrator or Application Administrator.
- Check Power Platform role: Go to Power Platform Admin Center > Settings > Admin roles. The admin who will authorize needs Power Platform Administrator.
- Verify app registration permissions: After setup, go to Azure Portal > App registrations > your app > API permissions. All listed permissions should show "Granted for [your org]".
What Happens Without Sufficient Permissions
| Missing Permission | Error You'll See | How to Fix |
|---|---|---|
No Organization.Read.All | "Connection test failed" | Add the permission in Azure and grant admin consent |
No ResourceQuery.Resources.Read | "AADSTS7000113" error | Add the Power Platform API delegated permission and complete the authorization flow |
| Admin consent not granted | "AADSTS65001" error | Go to Azure > App registrations > API permissions > Grant admin consent |
| Admin lacks Power Platform Administrator role | "0 environments found" after authorization | Assign the Power Platform Administrator role to the admin who completes the consent flow |
All Access Is Read-Only
Velnoro never writes to, modifies, or deletes anything in your Microsoft tenant. Every permission listed above grants only read access to metadata. For the full security model, see the Security guide.