M365 Assessment Tool for Alerts - Issue with authentication

[davcano]

Hello,
I try to use the M365 assessment tool for an audit on the alerts on my tenant and I have this issue with the permissions. I use an Interactive authentication with delegated permissions on an app. Permissions on my apps are:

It seems correct to me. Required permissions in the documentation are: Graph: Sites.Read.All, User.Read / SharePoint: AllSites.FullControl

Below the log:

2025-09-30 09:29:30.899 -04:00 [ERR] Error starting assessment job: Microsoft Graph service exception
HttpResponseCode: 403
Code: Forbidden
Message: Access to Site in Graph API requires the following permissions: Sites.Read.All or Sites.ReadWrite.All. However, the application only has the following permissions granted: Group.Read.All, User.ReadWrite.All
ClientRequestId: 
target: 
httpCode: 403

PnP.Core.MicrosoftGraphServiceException: Microsoft Graph service exception
   at PnP.Core.Services.BatchClient.ExecuteMicrosoftGraphInteractiveAsync(Batch batch)
   at PnP.Core.Services.BatchClient.ExecuteMicrosoftGraphBatchAsync(Batch batch)
   at PnP.Core.Services.BatchClient.ExecuteBatch(Batch batch)
   at PnP.Core.Model.BaseDataModel`1.RequestAsync(ApiCall apiCall, HttpMethod method, String operationName)
   at PnP.Core.Model.BaseDataModel`1.RawRequestAsync(ApiCall apiCall, HttpMethod method, String operationName)
   at PnP.Core.Admin.Model.SharePoint.SiteCollectionEnumerator.GetViaGraphSearchApiAsync(PnPContext context, VanityUrlOptions vanityUrlOptions, SiteCollectionFilter filter, Int32 pageSize)
   at PnP.Core.Admin.Model.SharePoint.SiteCollectionEnumerator.GetAsync(PnPContext context, VanityUrlOptions vanityUrlOptions, Boolean ignoreUserIsTenantAdmin, SiteCollectionFilter filter)
   at PnP.Core.Admin.Model.SharePoint.SiteCollectionManager.GetSiteCollectionsAsync(Boolean ignoreUserIsSharePointAdmin, SiteCollectionFilter filter, VanityUrlOptions vanityUrlOptions)
   at PnP.Scanning.Core.Services.SiteEnumerationManager.EnumerateSiteCollectionsToScanAsync(StartRequest start, AuthenticationManager authenticationManager, Action`1 feedback)
   at PnP.Scanning.Core.Services.Scanner.Start(StartRequest request, IServerStreamWriter`1 responseStream, ServerCallContext context)

Thanks for your help.

[jansenbe]

@davcano : since you've chosen for delegated permissions the assessment tool will only get access to the sites you as user can access with full control. If you're running the tool against other sites you'll get access denied.

Second cause might be cached credentials, remove the msalcache.bin file, kill all microsoft365-assessment.exe processes and try again. You should see a login prompt in the browser