Manually enabling the Global Reader Role for Optimize365

This guide walks you through enabling the required Global Reader role for Optimize365's security scanning, ensuring comprehensive visibility across your Microsoft 365 environment.

The Global Reader role is needed specifically for the Optimize365 app registration, allowing the platform to perform read-only scans of your clients security configurations without making any changes.

You can enable the required permissions for Optimize365 using one of the following methods:

Manual Configuration via the Microsoft 365 Admin Portal
Follow step-by-step instructions to assign the necessary roles directly through the portal interface.
Automated Setup via PowerShell Script
Run a pre-built script to streamline the setup process and apply the required permissions with minimal manual effort.

Prerequisites

A global administrator user with access to Microsoft Entra-ID

Why Global Reader is Required

Without Global Reader role, Optimize365 can only scan limited security controls. Some controls are not supported via MS-Graph, and require this role to preform via a Powershell cmdlet.

Basic Security Baseline Support

We’ve added support for a Basic Security Baseline to help with lightweight prospecting and visibility use cases. This option provides limited controls that do not require the Global Reader role, making it easier to get started with minimal friction.

Note: The Basic Baseline is intended for entry-level/prospecting scans and insight and does not require enabling the full security baseline.

Enabling Scanning roles

Step 1: Verify Global Reader role (You may need to do this per tenant)

Option 1

Sign in to the Microsoft Entra admin center (opens in a new tab)
Browse to Entra ID > Roles & admins (Press - Show more.. if you cant see it)
Select the Global Reader (Double-Click on it)

Global-Reader

Select Add assignments and search for "Optimize365-ReadOnly" (AppId: eb18d58b-c50f-4478-94dc-15ef9f12e34e) and press Add

Select-App-Reg

It will appear on the list once it has been added

App-Reg-Onlist

Option 2

Alternatively, run this PowerShell:

# PowerShell script to verify and add Global Reader role for Optimize365
# First, connect to Microsoft Graph PowerShell
Connect-MgGraph
 
# Optimize365 AppId
$appId = "eb18d58b-c50f-4478-94dc-15ef9f12e34e"
 
# Get service principal for Optimize365
$servicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$appId'"
 
if ($null -eq $servicePrincipal) {
    Write-Host "❌ Optimize365 service principal not found in this tenant. Verify the AppId is correct." -ForegroundColor Red
    exit
}
 
Write-Host "✅ Found Optimize365 service principal: $($servicePrincipal.DisplayName)" -ForegroundColor Green
 
# Get Global Reader role
$globalReaderRole = Get-MgDirectoryRole -Filter "DisplayName eq 'Global Reader'"
 
if ($null -eq $globalReaderRole) {
    # Role may not be activated yet, activate it
    Write-Host "Global Reader role not activated yet, activating..." -ForegroundColor Yellow
    
    # Get role template
    $roleTemplate = Get-MgDirectoryRoleTemplate -Filter "DisplayName eq 'Global Reader'"
    
    if ($null -eq $roleTemplate) {
        Write-Host "❌ Unable to find Global Reader role template. Contact support." -ForegroundColor Red
        exit
    }
    
    # Activate the role
    $globalReaderRole = New-MgDirectoryRole -RoleTemplateId $roleTemplate.Id
    Write-Host "✅ Global Reader role has been activated" -ForegroundColor Green
}
 
# Check if Optimize365 already has Global Reader role
$members = Get-MgDirectoryRoleMember -DirectoryRoleId $globalReaderRole.Id
$hasRole = $members | Where-Object { $_.Id -eq $servicePrincipal.Id }
 
if ($null -ne $hasRole) {
    Write-Host "✅ Optimize365 already has the Global Reader role" -ForegroundColor Green
} else {
    # Add Optimize365 to Global Reader role
    Write-Host "Adding Optimize365 to Global Reader role..." -ForegroundColor Yellow
    
    try {
        New-MgDirectoryRoleMemberByRef -DirectoryRoleId $globalReaderRole.Id -BodyParameter @{
            "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($servicePrincipal.Id)"
        }
        Write-Host "✅ Successfully added Optimize365 to Global Reader role" -ForegroundColor Green
    } catch {
        Write-Host "❌ Failed to add Optimize365 to Global Reader role: $_" -ForegroundColor Red
        Write-Host "   Please add the role manually in Microsoft Entra admin center" -ForegroundColor Yellow
    }
}
 
# Now check scanning access
Write-Host "`nVerifying Scanning role..." -ForegroundColor Cyan
 
try {
    # Test if we can access necessary security configurations
    $policies = Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy -ErrorAction Stop
    Write-Host "✅ Successfully accessed security policies" -ForegroundColor Green
} catch {
    Write-Host "❌ Cannot access security policies: $_" -ForegroundColor Red
    Write-Host "   Global Reader role may not be fully applied yet" -ForegroundColor Yellow
}
 
# Disconnect session
Disconnect-MgGraph
 
Write-Host "`n✅ Role verification complete" -ForegroundColor Green

Need Help?

Contact [email protected] if you encounter any issues.

Share Client Login Link