Breadcrumbs

Enpass Enterprise App Permissions

When you add Enpass as an Enterprise Application in Microsoft Entra ID, it requests a specific set of Microsoft Graph API permissions. This page explains what each permission does, why Enpass needs it, and how it is used.

Important: All permissions are delegated

Every permission listed below is a delegated permission, and the resulting access tokens are handled with strict local-only security. This means:

  • Enpass never acts on its own. All Microsoft Graph API calls are executed on behalf of the signed-in user, using that user's own access scope.

  • The user's OAuth access token is stored only within the local Enpass app database, encrypted with the user's master password. It is never transmitted to or stored on any Enpass server.

  • Because tokens exist only on the user's device, there is no risk of exposure from a server-side breach.

Permission details

User.Read — Sign in and read user profile

Allows Enpass to retrieve basic profile information for the signed-in user, including their email address, display name, principal name, and user ID. This information is used to identify the user within the Enpass team account and to associate vaults with the correct user.

Files.ReadWrite.AppFolder — Full access to the application's folder

Grants Enpass read and write access to its own private application folder on the user's OneDrive (OneDrive > Apps > Enpass). This is where the user's primary vault is created, updated, and synced. Enpass cannot access any other files or folders on the user's OneDrive through this permission.

offline_access — Maintain access to data you have given it access to

Allows Enpass to refresh its access token so that vault synchronization can continue working even when the user is not actively browsing OneDrive or signed into Microsoft in a browser. Without this permission, users would need to re-authenticate with Microsoft every time the short-lived token expired.

Sites.ReadWrite.All — Edit or delete items in all site collections

Enables Enpass to access, create, update, and delete vault files on the user's OneDrive and SharePoint sites. This permission is required for shared vaults and team vaults that are stored on SharePoint document libraries rather than in the user's private app folder.

Team.ReadBasic.All — Read the names and descriptions of teams

Allows Enpass to list the Microsoft Teams that the user belongs to. This is used when creating or assigning vaults for specific teams, so that users can browse and select the correct team from within the Enpass app.

User.ReadBasic.All — Read all users' basic profiles

Enables Enpass to look up basic profile information (name, email) for other users in the organization. This is needed when sharing vaults with colleagues — Enpass uses this to let the vault owner search for and select recipients.

Channel.ReadBasic.All — Read the names and descriptions of channels

Allows Enpass to list channels within a team. Similar to the Teams permission above, this is used when creating or managing vaults that are associated with specific team channels.

Group.Read.All — Read all groups

Enables Enpass to list Microsoft 365 groups and read their properties. This is used when creating vaults on SharePoint sites to identify and list the group members who should have access.

Optional Permissions

ChannelMember.Read.All — Read the members of private channels

Allows Enpass to list the members of the private channels. This need to be added when your team want to create or manage vaults that are associated with specific teams' private channels.
See more: Microsoft "Approval required"prompt when sharing a vault from Private Channel

DeviceManagementManagedApps.ReadWrite — Read and Write the User's App Management data

This permission is only required if your organization uses Microsoft Intune Mobile Application Management (MAM). It allows Enpass to interact with MAM policies. This permission is app-local and user-specific, meaning it only enables Enpass to manage its own app protection state for the signed-in user, such as applying data protection policies and syncing MAM policy data. It does not grant access to other apps, devices, or any tenant-wide Intune configuration.

What Enpass does NOT do with these permissions

  • Enpass never scans your drive automatically. All file operations are performed either within the Enpass private app folder (OneDrive > Apps > Enpass) or within a specific OneDrive/SharePoint folder that the user explicitly selects using a folder browser inside the app.

  • No data is sent to Enpass servers. Vault data, access tokens, and user credentials all remain on the user's local device, encrypted at rest.