Does M365 Tenant Reporter request write permissions?

No. The delegated Microsoft Graph scopes are read-focused and the product is designed for reporting only.

When is AuditLog.Read.All needed?

AuditLog.Read.All is optional and only needed when the operator wants last sign-in visibility in the login-based reporting flow.

What Microsoft Entra role is required for Reports.Read.All?

Reports.Read.All requires a supported Microsoft Entra role such as Reports Reader or a broader admin role to access usage and activity data.

Permissions

Delegated Microsoft Graph permissions are grouped by reporting capability.

Core reporting scopes are requested up front, reporting scopes enable usage analytics, and advanced audit scopes are requested only when the operator enables optional last sign-in insight.

Open app Read guides

Permission groups

Core

openid, profile, email, User.Read, User.Read.All, GroupMember.Read.All, LicenseAssignment.Read.All, MailboxSettings.Read

Reports

Reports.Read.All for Office 365 active users, Teams activity, mailbox usage, and OneDrive usage.

Advanced audit

AuditLog.Read.All is optional and only needed when last sign-in summaries are explicitly enabled.

How to explain the scope model internally

Core reporting stays read-only

The core scope set exists so the app can inventory users, groups, license assignments, and mailbox purpose without crossing into management or remediation.

Optional scopes stay optional

Usage and audit capabilities are separated so operators can keep the initial consent boundary tight when they only need inventory reporting.