Microsoft SharePoint/OneDrive/Outlook Integration Security Information

To help you better understand the delegated permissions around our SharePoint integration, as well as other Microsoft integrations, we've put together this document. It provides an explanation as to why we require a Global Admin connection first, as well as answers to some other general security concerns. 

Security overview

  1. To install the Simpplr app into SharePoint, the Microsoft Global Admin user must connect their account before any other users do. See below for further instructions. The Admin's OAuth tokens are NOT stored in Simpplr, and are only needed to provide consent to the rest of the users' connections.
  2. Once complete, each user will need to connect their account at the User Profile level in the Profile & settings section. Users will only need to connect their account once.
  3. File permissions do not change once sites are integrated with Simpplr. For more information on file permission levels within SharePoint, click here
  4. Updating the Admin user's SharePoint password will not affect the integration in any way. No connections will be disrupted if you change your SharePoint password.

Simpplr asks the Global Admin to consent to several delegated Microsoft permissions before successfully connecting. Once the Admin account has been connected, it can be removed. It's only required to approve End user connections. For a full list of Microsoft permissions references and descriptions, click here

SharePoint Global Admin Consent and Permissions Required

All of these permissions are delegated, and respect the individual user's SharePoint permissions, so users who do not have access to create, update or delete folders and sites within SharePoint, will NOT be able to do so from within Simpplr. 

Permission Name Permission required Description Impact if removed
View your basic profile
Read all users basic profiles
User.ReadBasic.All Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user. Unable to sign in and use SharePoint services
Users info on files and profile
Access directory as the signed-in user Directory.AccessAsUser.All Allows the app to have the same access to information in the directory as the signed-in user. Unable to search for and fetch files

Have full access to all files you have access to

Read and write your files

Files.ReadWrite.All
Simpplr uses this permission for:
  1. Getting the list of SharePoint (SP) files present within a particular SP folder and displaying it in the site wherein its parent SP document library has been linked
  2. Searching through SP files present within the linked SP document libraries
  3. Allowing users with access to upload a new file to an SP folder from Simpplr
Unable to search for and fetch files
Create, edit, and delete items and lists in all your site collections Sites.Manage.All
Simpplr uses this for:
  1. Getting the list of SP sites & sub-sites to allow a Simpplr Site Manager to further choose the SP document library within the SP site
  2. Getting the list of SP document libraries to allow a Simpplr Site Manager to select the SP document library that they wish to link to their Simpplr site
  3. Allowing users with access to add a new folder within a linked SP document library from Simpplr
  4. Allowing users with access to rename a linked SP document library or folders within the SP document library from Simpplr
Unable to access basic organization structure and file listings with create permission
Read and write items in all site collections Sites.ReadWrite.All Allows the app to edit or delete documents and list items in all site collections on behalf of the signed-in user. Unable to access basic organization structure and file listings
Sign-in and read user profile User.Read Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. Unable to sign in and use SharePoint services
Edit or delete items in all site collections Sites.ReadWrite.All A subset of Sites.Manage.All, this is specifically required for Update & Delete operations on SP document libraries. Simpplr only makes use of the Update operation to support:
Allowing users with access to rename a linked SP document library or folders within the SP document library from Simpplr.
Unable to access basic organization structure and file listings
Read and write items and lists in all site collections AllSites.Manage This is effectively the same as Sites.Manage.All, however it is required in order to hit legacy SharePoint-exclusive APIs. The Sites.Manage.All API only allows hitting Microsoft Graph APIs  

FAQ

Why do I need a Global Admin (GA) account to connect the SharePoint or OneDrive integrations? 

  • We need the GA to give consent "on behalf of the organization," so other users can connect their SharePoint (SP) account to Simpplr. Users must connect via their own SP credentials. Once they do, they can search SP and OD document libraries from Simpplr, but only of files that their SP account has access to.
  • To access a protected resource like email or calendar data, the Simpplr application needs the resource owner's authorization. That is, we need each user to authorize us to act on their behalf in their security context. The resource owner must consent to or deny the app's request. And before a regular user can give that consent, the Global Admin has to enable all users to do so if they wish. That is what "Consent on behalf of your organization" means and why it's important. Otherwise, the Global Admin would need to approve each employee's request to integrate their SharePoint account to Simpplr on a one-by-one basis.

Does Simpplr store GA OAuth tokens in the Simpplr database for use later? 

  • No.
Does Simpplr use delegated or app-only access? 
  • Simpplr uses delegated access. SharePoint OAuth apps must request either to use delegated access, acting on behalf of a signed-in user, or app-only access, acting only as the application's own identity. Simpplr always performs actions in the context of the security permissions and access rights of a particular signed-in SharePoint or OneDrive user who is connected to a Simpplr user. 

What other purposes is this OAuth grant used for? 

  • The OAuth grant is NOT used for any other purposes; only consent for End users to connect.

The OAuth grant asks for a lot of authorization. How can I make sure that the OAuth grant is not used for any other purposes? 

  • From the Simpplr user account that connected to SharePoint with GA, after you grant consent via OAuth, you should disconnect that user's Simpplr account from SharePoint. This removes the OAuth grant for the GA user, but other users will continue to be allowed to connect their SP account to Simpplr.

Once I grant access by the Global Admin, can Simpplr use this to automatically add new OAuth permission scopes?  

What is the name of the Simpplr SharePoint/OneDrive OAuth app?

  • The name of the OAuth app is Simpplr for SharePoint/OneDrive for Business.

Can I manually configure my own SP OAuth app for Simpplr?  

  • No, because it's not needed.The OAuth app that they provide consent to (the one which requests for all the necessary permissions) gets automatically provisioned onto their Azure AD tenant and can be viewed by navigating to portal.azure.com > Enterprise Applications. This OAuth app is a unique app configured by Simpplr with the setting 'Who can use this application or access this API?: Accounts in any organizational directory (Any Azure AD directory - Multitenant)' and is centrally managed by Simpplr itself.

Will updating the Admin's password affect the integration?

  • No. Updating a SharePoint Admin user's password will not change the integration in any way once connected. 
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Articles in this section