Authentication Model
The Data Collector authenticates to two Microsoft endpoints using a single service principal registered in the client tenant during the OAuth consent flow. Credentials are retrieved from the CYC secrets vault at runtime and are never logged, stored in environment variables on disk, or embedded in source code.
Credential Sets
| Credential | OAuth Scope | Used in Phases | SDK Class |
|---|---|---|---|
| ARM Credential | https://management.azure.com/.default | 1, 2, 3 | ClientSecretCredential |
| Graph Credential | https://graph.microsoft.com/.default | 4 | ClientSecretCredential |
Required Role Assignments
The following Azure built-in roles are assigned to the CYC service principal at root management group scope during onboarding OAuth consent. These are the minimum permissions required for complete data collection.
| Role | Scope | Required for | Access type |
|---|---|---|---|
| Reader | Root management group | All resource queries — Phases 1, 2, 3 | Read-only |
| Security Reader | Root management group | Defender assessments and secure scores | Read-only |
| Billing Reader | Root management group | Cost management and consumption data | Read-only |
| Microsoft Sentinel Reader | Per subscription (conditional) | Sentinel analytics rules, data connectors, incidents — only requested if client confirms Sentinel is deployed during intake | Read-only |
All permissions are displayed to the client on the Microsoft Entra ID consent screen before they accept. The Sentinel Reader role is only requested if the client indicated Sentinel is deployed in the intake questionnaire (Q4). Clients can review and revoke permissions at any time through their Entra ID portal.
The service principal holds no write, contribute, or owner permissions at any scope. It is architecturally incapable of creating, modifying, or deleting any resource in the client tenant.