...
There are 4 INKY Enterprise Applications used by INKY though they are not all mandatory.
INKY Dashboard SSO (Required if you want to use SSO through AzureAD Entra AD and INKY Dashboard)
Sign users in - Delegated
View users' basic profile - Delegated
View users’ email address - Delegated
INKY Phish Fence - Directory Synchronization - INKY uses the Microsoft Graph API to check your tenant's domain and directory information to help ensure you stay protected. This requires you to log in with an Office 365 or Exchange global administrator account. Note: Once this access is granted, you may use the "Check for Missing Domains" tool under Advanced Config > Domain Information; please report any missing domains to INKY support.
Sign in and read user profile - Delegated
Read directory data - Application
Read domains - Application
Read and write all groups
INKY Phish Fence - InstallationSetup and Maintenance - Used during the install process (can be deleted after install)
Access directory as the signed in user - Delegated
Sign users in - Delegated
View users' basic profile - Delegated
Maintain access to data you have given it access to - DelegatedSign in and read user profile
Read and write all directory RBAC settings
Manage apps that this app creates or owns
Read and write domains
Read directory data
Manage Exchange As Application
Inky Phish Fence Remediation - Required if using the remediation features on the INKY Dashboard and delivering mail to Graymail folder if using INKY Graymail features.
Read and write all user mailbox settings
Read and write mail in all mailboxes - Delegated
Sign in and read user profile
, Quarantine View, Message Trace, and other Tenant Operations.
More info about the individual permissions can be found here: https://docs.microsoft.com/en-us/graph/permissions-reference