In order to work, Pistachio requires certain permissions to access your Microsoft Active Directory tenant. These permissions are granted to the Pistachio Microsoft application as part of the onboarding process using the OAuth 2.0 client credentials flow. This page describes what each permission is, why it is required, and how the data is used.
Sign in and read user profile
This is the delegated User.Read permission in Microsoft. It enables users to log in to Pistachio using their Microsoft accounts and grants Pistachio access to their basic information, including their name.
Read all users’ full profiles
This is the application User.Read.All permission in Microsoft. It allows Pistachio to read user profile data. This is needed so that Pistachio can get information about each user that should receive a license. The information Pistachio accesses includes the user’s ID, display name, status (enabled / disabled), department, given name, surname, job title, mobile phone number, email address, country, location, and photo. This data is used to show admins in Pistachio relevant information and to improve the targeting of simulated attacks.
Pistachio only stores this data for users that are licensed in Pistachio, i.e. those users that belong to the “pistachio-standard” group in Active Directory.
Read directory data
This is the application Directory.Read.All permission in Microsoft. It allows Pistachio to read data about groups without requiring a logged in user. It also grants Pistachio access to basic information such as the organization’s name and preferred language.
Read and write mail in all mailboxes
This is the application Mail.ReadWrite permission in Microsoft. It allows Pistachio to create, read, update, and delete mail in all mailboxes. However, it does not grant Pistachio the ability to send emails. This permission is required to allow Pistachio to send email attacks to users.
Pistachio uses the “Create mail in mail folder” API request to send users email attacks. This endpoint requires a permission called Mail.ReadWrite, even though it only involves writing emails and not reading them. We believe that the more appropriate permission for this action would be Mail.Write, as we don't need or want the ability to read users' emails.
To address this concern, we are actively advocating to Microsoft to modify the permission requirement to Mail.Write. We've also shared our thoughts and raised this issue in a public Microsoft forum. You can check out our post on the forum here.
Until Microsoft adds support for a Mail.Write permission, we will need to continue to request Mail.ReadWrite. However, it's important to note that Pistachio does not read your emails, nor does it have any code that allows it to do so. We have also implemented multiple security measures to ensure that no one within Pistachio accesses your emails.
If you would like to help us to get Microsoft to make a change, please contact us at firstname.lastname@example.org. Any help would be greatly appreciated.