Permissions required to be enabled for SharePoint custom o-auth setup
Introduction
Skyhigh CASB allows customers to connect to SharePoint through a custom application with asymmetric authentication instead of requiring a global administrator account with a username and password for SharePoint and a non-administrator account. With this function, you can also run Skyhigh CASB for SharePoint in a read-only mode.
Justification
- Below are the justifications of the permission scope required to be enabled for SharePoint custom o-auth setup.
S.No |
Group |
Permission |
Description |
Justification/ Use case of CASB |
1 |
Microsoft Graph |
Sites.Read.All |
This permission allows the application to read items (documents, files, lists, etc.) across all site collections in SharePoint and OneDrive. |
Used to grant access to read items in all site collections in SharePoint and OneDrive. This permission allows an application to retrieve data from various site collections across an organization |
2 |
Office365 Sharepoint Online |
User.Read.All |
This permission grants access to read user profile information. |
Required for fetching user information for context when analyzing activity data, ensuring that the activities can be associated with specific users. We also use API to fetch all users of an organization and cache it. |
3 |
Office365 Management API |
ActivityFeed.Read |
This permission allows the application to read activity data from various Office 365 services, such as SharePoint, Azure AD, and more. |
Essential for retrieving detailed activity logs and usage information across the organization, facilitating security monitoring, troubleshooting, and reporting. |
4 |
Microsoft Graph |
Directory.Read.All |
This permission provides access to read directory data, including user and group information. |
Required to gather additional context about users and groups. We need this mainly for collaboration cases where we need to fetch the details of all group members and individual collaborators of a file/folder in SharePoint and OneDrive. We do cache user and group details in order to avoid repeated API calls. |
5 |
Microsoft Graph |
DeviceManagementConfiguration.ReadWrite |
Enables reading and writing device configurations |
Primarily associated with managing device configurations through the Microsoft Graph API. The specific APIs and endpoints that require this permission are related to device management and configuration tasks. For more details, please refer the below document |
6 |
Microsoft Graph |
Reports.Read.All |
To get details about OneDrive/SharePoint usage by account |
This is used in case of On Demand scans. Skyhigh will get the user data volume per user from reports API. This data is used to calculate the progress of the scan. |
7 |
Microsoft Graph |
Policy.Read.All |
Allows reading organization-wide policies |
Same as S.No. 5 |
8 |
Office365 Sharepoint Online |
Sites.FullControl.All |
Have full control of all site collections |
This scope is required to discover all sites and users from 0365 tenant to attach event listeners for receiving the events. |
9 |
Office365 Sharepoint Online |
Sites.Manage.All |
Provides permissions to read and write items and lists across all site collections. |
This permission is used to Create, edit, and delete items and lists in all site collections |