Permissions required to be enabled for SharePoint custom o-auth setup

Last updated
Save as PDF

Introduction

Skyhigh CASB allows customers to connect to SharePoint through a custom application with asymmetric authentication instead of requiring a global administrator account with a username and password for SharePoint and a non-administrator account. With this function, you can also run Skyhigh CASB for SharePoint in a read-only mode.

Justification

Below are the justifications of the permission scope required to be enabled for SharePoint custom o-auth setup.

S.No	Group	Permission	Description	Justification/ Use case of CASB
1	Microsoft Graph	Sites.Read.All	This permission allows the application to read items (documents, files, lists, etc.) across all site collections in SharePoint and OneDrive.	Used to grant access to read items in all site collections in SharePoint and OneDrive. This permission allows an application to retrieve data from various site collections across an organization
2	Office365 Sharepoint Online	User.Read.All	This permission grants access to read user profile information.	Required for fetching user information for context when analyzing activity data, ensuring that the activities can be associated with specific users. We also use API to fetch all users of an organization and cache it.
3	Office365 Management API	ActivityFeed.Read	This permission allows the application to read activity data from various Office 365 services, such as SharePoint, Azure AD, and more.	Essential for retrieving detailed activity logs and usage information across the organization, facilitating security monitoring, troubleshooting, and reporting.
4	Microsoft Graph	Directory.Read.All	This permission provides access to read directory data, including user and group information.	Required to gather additional context about users and groups. We need this mainly for collaboration cases where we need to fetch the details of all group members and individual collaborators of a file/folder in SharePoint and OneDrive. We do cache user and group details in order to avoid repeated API calls.
5	Microsoft Graph	DeviceManagementConfiguration.ReadWrite	Enables reading and writing device configurations	Primarily associated with managing device configurations through the Microsoft Graph API. The specific APIs and endpoints that require this permission are related to device management and configuration tasks. For more details, please refer the below document
5	Microsoft Graph	DeviceManagementConfiguration.ReadWrite	Enables reading and writing device configurations	https://success.myshn.net/Skyhigh_CASB/Skyhigh_CASB_Sanctioned_Apps/Security_Configuration_Audit_for_SaaS
6	Microsoft Graph	Reports.Read.All	To get details about OneDrive/SharePoint usage by account	This is used in case of On Demand scans. Skyhigh will get the user data volume per user from reports API. This data is used to calculate the progress of the scan.
7	Microsoft Graph	Policy.Read.All	Allows reading organization-wide policies	Same as S.No. 5
8	Office365 Sharepoint Online	Sites.FullControl.All	Have full control of all site collections	This scope is required to discover all sites and users from 0365 tenant to attach event listeners for receiving the events.
8	Office365 Sharepoint Online	Sites.FullControl.All	Have full control of all site collections	Reference:  https://learn.microsoft.com/en-us/archive/blogs/vesku/using-add-in-only-app-only-permissions-with-search-queries-in-sharepoint-online
9	Office365 Sharepoint Online	Sites.Manage.All	Provides permissions to read and write items and lists across all site collections.	This permission is used to Create, edit, and delete items and lists in all site collections