Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Manually onboard Attic read only

When you choose Read Only onboarding for Zolder, three Microsoft Entra ID directory roles need to be assigned to the Attic app in your tenant. 

Normally, this is done automatically through an OAuth consent flow using the Attic read-write application. However, if you prefer to keep full control and avoid granting the RW application access to your environment, you can assign these roles manually.

We use the "Exchange Online read access" step to add EntraID roles to the Attic app. Just dont execute the step and folow the ones below instead. Afterwards do not forget to contact the operator they will set the "Exchange Online read access" step to done allowing for the rest of the onboarding.

Prerequisites

  • You need the Global Administrator or Privileged Role Administrator role in your Microsoft Entra ID tenant.
  • The "[ATTIC] M365 RO" enterprise application (service principal) must already exist in your tenant. This is created when you consent to the Attic application during onboarding.

Roles to Assign

The following three Entra ID directory roles must be assigned to the "[ATTIC] M365 RO" service principal:

Role Purpose
Global Reader Allows Attic to read all tenant configuration and settings
Security Reader Allows Attic to read security-related data (alerts, incidents, policies)
Teams Reader Allows Attic to read Microsoft Teams configuration and settings

Steps

Step 1: Find the "[ATTIC] M365 RO" service principal

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Identity > Applications > Enterprise applications
  3. Search for [ATTIC] M365 RO in the application list
  4. Click on the Attic Security application to open it
  5. Note the Object ID on the overview page -- you will need this to verify the assignments later

Step 2: Assign the Global Reader Role

  1. Navigate to Identity > Roles & admins > Roles & admins
  2. Search for Global Reader and click on it
  3. Click + Add assignments
  4. Click + Select member(s)
  5. In the search box, search for [ATTIC] M365 RO
  6. Select the "[ATTIC] M365 RO" service principal from the list
  7. Click Select
  8. Click Next
  9. Select Active as the assignment type
  10. Optionally provide a justification (e.g., "Attic Security read-only monitoring")
  11. Click Assign

Step 3: Assign the Security Reader Role

  1. Go back to Identity > Roles & admins > Roles & admins
  2. Search for Security Reader and click on it
  3. Click + Add assignments
  4. Click + Select member(s)
  5. Search for and select the [ATTIC] M365 RO service principal
  6. Click Select
  7. Click Next
  8. Select Active as the assignment type
  9. Click Assign

Step 4: Assign the Teams Reader Role

  1. Go back to Identity > Roles & admins > Roles & admins
  2. Search for Teams Reader and click on it

Note: If "Teams Reader" does not appear in the role list, it may be listed as Teams Communications Reader or you can search by its template ID: 1076ac91-f3d9-41a7-a339-dcdf5f480acc.

  1. Click + Add assignments
  2. Click + Select member(s)
  3. Search for and select the [ATTIC] M365 RO service principal
  4. Click Select
  5. Click Next
  6. Select Active as the assignment type
  7. Click Assign

Step 5: Verify the Assignments

  1. Navigate to Identity > Applications > Enterprise applications
  2. Open the Attic Security application
  3. Click Roles and administrators (under Security in the left menu)
  4. Verify that the following three roles are listed:
    • Global Reader
    • Security Reader
    • Teams Reader

Alternatively, you can verify via Identity > Roles & admins and check each role's assignment list for the Attic service principal.

After Completing These Steps

Once the roles are assigned, go back to the Zolder onboarding portal and inform your Attic contact that you have manually assigned the roles. The onboarding team can then mark this step as completed and proceed with the remaining onboarding steps.

Alternative: Using PowerShell

If you prefer to assign the roles via PowerShell, you can use the Microsoft Graph PowerShell module:

# Connect to Microsoft Graph with the required scopes
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

# Find the Attic service principal (replace with the actual app display name)
$sp = Get-MgServicePrincipal -Filter "displayName eq 'Attic Security'"

# Role template IDs
$roles = @{
    "Global Reader"   = "f2ef992c-3afb-46b9-b7cf-a126ee74c451"
    "Security Reader" = "5d6b6bb7-de71-4623-b4af-96380a352509"
    "Teams Reader"    = "1076ac91-f3d9-41a7-a339-dcdf5f480acc"
}

# Assign each role
foreach ($roleName in $roles.Keys) {
    $roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "templateId eq '$($roles[$roleName])'"

    $params = @{
        principalId      = $sp.Id
        roleDefinitionId = $roleDefinition.Id
        directoryScopeId = "/"
    }

    New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params
    Write-Host "Assigned $roleName to $($sp.DisplayName)"
}

Troubleshooting

Issue Solution
Cannot find the "[ATTIC] M365 RO" enterprise application Ensure the initial application consent step of the onboarding has been completed first. You can deny the write consent. The service principal is created during that step.
"Insufficient privileges" error You need Global Administrator or Privileged Role Administrator to assign directory roles.
Role already assigned This is fine -- if the role is already assigned, no action is needed for that role.

These are all reader-level roles, consistent with the read-only access model -- they do not grant any write or administrative permissions in your tenant.