This reference guide explains:

• What the Master app is
• What app registrations are created by the Master app
• Why each permission is required

Overview

EagleEye uses one orchestrator app registration to create and configure everything it needs.

We call this the Master app.

You can give it any name when creating it, for example: Northwind.EagleEye.Master

What the Master app does during installation

1. You create the Master app in Step 2 - App Registration and grant the required Graph permissions to it.
2. During deployment, the Master app creates these three app registrations:
   • Engine
   • Api
   • Portal
3. Then it:
   • Grants Graph permission to Engine
   • Grants delegated API access to Portal
   • Assigns the configured Entra group to Portal
   • Reads your tenant email domains (e.g., @northwind.com, @company.com) and stores them in the database

Master App - Required Permissions

When creating the Master app (Step 2 - App Registration), we assign the following Microsoft Graph Application permissions.

These must be Application permissions (not Delegated), because deployment is automated and non-interactive.

3 App Registrations Created by Master App

EagleEye uses three app registrations, each with a single clear responsibility.

Engine

Purpose: Email analysis

• Reads mailboxes
• Resolves users and groups
• Used by background jobs and CLI

Think of Engine as the worker that does the actual email processing.

Api

Purpose: Backend API

• Exposes EagleEye data and operations
• Acts as the bridge between Portal and Engine

Think of API as the backend glue that connects everything.

Portal

Purpose: Web Portal

• Users sign in here
• Run scans, see reports, and create tags
• Access is restricted by Entra group assignment

Think of Portal as the frontend users interact with.

One-line summary

References

• Step 2 - App Registration
• Register an app in Microsoft Entra ID
• Microsoft Graph permissions reference