Required accounts and permissions for an Azure AD scan
To perform an Azure AD scan, you must configure two accounts:
The "Process account" is used to execute the scan process on the selected collector. This account must have local administrative rights and interactive logon privileges on the collector. Recommended: You can leave the input blank and ARM will use the service account from the base configuration.
The "scan account" is used for the actual scan. As described in the "Prepare Microsoft365 integration" chapter, you need to register an app in the Azure portal and use the generated App ID and the Client Secret Value as credentials.