Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Permissions required to be enabled for SharePoint custom o-auth setup


Skyhigh CASB allows customers to connect to SharePoint through a custom application with asymmetric authentication instead of requiring a global administrator account with a username and password for SharePoint and a non-administrator account. With this function, you can also run Skyhigh CASB for SharePoint in a read-only mode. 


Below are the justifications of the permission scope required to be enabled for SharePoint custom o-auth setup. 





Justification/ Use case of CASB 

Microsoft Graph 


This permission allows the application to read items (documents, files, lists, etc.) across all site collections in SharePoint and OneDrive. 

Used to grant access to read items in all site collections in SharePoint and OneDrive. This permission allows an application to retrieve data from various site collections across an organization 

Office365 Sharepoint Online 


This permission grants access to read user profile information. 

Required for fetching user information for context when analyzing activity data, ensuring that the activities can be associated with specific users. We also use API to fetch all users of an organization and cache it. 

Office365 Management API 


This permission allows the application to read activity data from various Office 365 services, such as SharePoint, Azure AD, and more. 

Essential for retrieving detailed activity logs and usage information across the organization, facilitating security monitoring, troubleshooting, and reporting. 

Microsoft Graph 


This permission provides access to read directory data, including user and group information. 

Required to gather additional context about users and groups. We need this mainly for collaboration cases where we need to fetch the details of all group members and individual collaborators of a file/folder in SharePoint and OneDrive. We do cache user and group details in order to avoid repeated API calls. 

Microsoft Graph 


Enables reading and writing device configurations 

Primarily associated with managing device configurations through the Microsoft Graph API. The specific APIs and endpoints that require this permission are related to device management and configuration tasks. For more details, please refer the below document 

Microsoft Graph 


To get details about OneDrive/SharePoint usage by account 

This is used in case of On Demand scans. Skyhigh will get the user data volume per user from reports API. This data is used to calculate the progress of the scan. 

Microsoft Graph 


Allows reading organization-wide policies 

Same as S.No. 5

Office365 Sharepoint Online 


Have full control of all site collections 

This scope is required to discover all sites and users from 0365 tenant to attach event listeners for receiving the events. 


Office365 Sharepoint Online 


Provides permissions to read and write items and lists across all site collections. 

This permission is used to Create, edit, and delete items and lists in all site collections 

  • Was this article helpful?