Cavaridge Academy
Setting Up Posture Scans
Module 2 of 5

Connecting data sources

Wire AEGIS to a client's actual environment using read-only credentials and minimum-privilege scopes.

Video — pending production
Read the transcript below. Once recording is complete, the video will replace this notice.
--- title: Connecting data sources status: draft note: AI-generated first-pass transcript pending video production + SME review. --- Connecting data sources is the unglamorous work that determines whether AEGIS produces useful output for a client. This lesson is the right way to do it for the most common stacks. ## The principle: minimum-privilege, read-only Every AEGIS connector should run on a service account (not a person) with the smallest possible read-only scope per provider. Specifically: - No write permissions, ever. - Scopes per-provider: - **Microsoft Graph**: `Reports.Read.All`, `Directory.Read.All`, `Policy.Read.All`. That's it. - **Defender for Cloud Apps**: read-only API token, scoped to your tenant. - **Sentinel**: Log Analytics Reader role on the workspace. - Service account names follow `cavaridge-aegis-svc@<tenant>` so an auditor can immediately tell what they are. If a provider doesn't expose a read-only scope, AEGIS marks the connector status as "elevated-required — operator decision needed" rather than asking you to grant admin. ## The flow per connector 1. Open the connector page in AEGIS. 2. Generate a connection request (a OAuth consent or service-account creation script — varies per provider). 3. Have the customer's admin grant consent or run the script. 4. AEGIS validates the connection with a 30-second smoke test. 5. The first scan kicks off. When validation fails, AEGIS shows the **specific** scope or permission missing. Don't guess. Read the error. ## What connector failure looks like If a connector fails — credentials revoked, scope removed, provider outage — AEGIS does NOT silently zero the score. Instead: - The control families dependent on that source are marked "data not collected". - The Raw Score reflects only what was actually observed. - A `connector_failure` Pulse event fires. This is the honest behavior. A green check on a broken connector would be worse than the failure itself. ## Hands-on The **aegis-msp-trio** seed sandbox provisions three sample clients: - **ContosoCare** — small healthcare practice with M365 + ConnectWise. - **AcmeOps** — manufacturer with M365, Sentinel, and Atera. - **NimbusLLC** — consultancy with Google Workspace + browser extension. Connect each: 1. Open ContosoCare's connector page. 2. Generate the M365 consent. 3. Click through as the simulated client admin. 4. Watch the connector validate. Then break it deliberately: revoke the consent. Watch the AEGIS UI flip to "data not collected" within minutes. That recovery posture is the signal you want — both for clients and for auditors. ## What clients see The client-side view in AEGIS shows connector status with the same honesty. They'll see your connector list, what's connected, what's not, and what data isn't being collected. Don't let a client surprise you by spotting a broken connector first. Watch your Pulse feed. ## What's next Module 3 covers scheduling: how often scans should run, what to do when one stalls, and the idempotency rules that keep retries safe.
Hands-on sandbox
aegis · seed: aegis-msp-trio · 60 min

Knowledge check

  1. Question 1 · select one
    Connector credentials should be
  2. Question 2 · select one
    Connector failures show up as
  3. Question 3 · select all that apply
    Which connectors are safe to enable on a vanilla M365 tenant?