Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Permissions required to be enabled for SharePoint custom o-auth setup

Introduction

Skyhigh CASB allows customers to connect to SharePoint through a custom application with asymmetric authentication instead of requiring a global administrator account with a username and password for SharePoint and a non-administrator account. With this function, you can also run Skyhigh CASB for SharePoint in a read-only mode. 

Justification

Below are the justifications of the permission scope required to be enabled for SharePoint custom o-auth setup. 

S.No 

Group 

Permission 

Description 

Justification/ Use case of CASB 

Microsoft Graph 

Sites.Read.All 

This permission allows the application to read items (documents, files, lists, etc.) across all site collections in SharePoint and OneDrive. 

Used to grant access to read items in all site collections in SharePoint and OneDrive. This permission allows an application to retrieve data from various site collections across an organization 

Office365 Sharepoint Online 

User.Read.All 

This permission grants access to read user profile information. 

Required for fetching user information for context when analyzing activity data, ensuring that the activities can be associated with specific users. We also use API to fetch all users of an organization and cache it. 

Office365 Management API 

ActivityFeed.Read 

This permission allows the application to read activity data from various Office 365 services, such as SharePoint, Azure AD, and more. 

Essential for retrieving detailed activity logs and usage information across the organization, facilitating security monitoring, troubleshooting, and reporting. 

Microsoft Graph 

Directory.Read.All 

This permission provides access to read directory data, including user and group information. 

Required to gather additional context about users and groups. We need this mainly for collaboration cases where we need to fetch the details of all group members and individual collaborators of a file/folder in SharePoint and OneDrive. We do cache user and group details in order to avoid repeated API calls. 

Microsoft Graph 

DeviceManagementConfiguration.ReadWrite 

Enables reading and writing device configurations 

Primarily associated with managing device configurations through the Microsoft Graph API. The specific APIs and endpoints that require this permission are related to device management and configuration tasks. For more details, please refer the below document 

https://success.myshn.net/Skyhigh_CASB/Skyhigh_CASB_Sanctioned_Apps/Security_Configuration_Audit_for_SaaS 

Microsoft Graph 

Reports.Read.All 

To get details about OneDrive/SharePoint usage by account 

This is used in case of On Demand scans. Skyhigh will get the user data volume per user from reports API. This data is used to calculate the progress of the scan. 

Microsoft Graph 

Policy.Read.All 

Allows reading organization-wide policies 

Same as S.No. 5

Office365 Sharepoint Online 

Sites.FullControl.All 

Have full control of all site collections 

This scope is required to discover all sites and users from 0365 tenant to attach event listeners for receiving the events. 

Reference:  https://learn.microsoft.com/en-us/archive/blogs/vesku/using-add-in-only-app-only-permissions-with-search-queries-in-sharepoint-online 

Office365 Sharepoint Online 

Sites.Manage.All 

Provides permissions to read and write items and lists across all site collections. 

This permission is used to Create, edit, and delete items and lists in all site collections 

  • Was this article helpful?