To help you better understand the delegated permissions around our SharePoint integration, as well as other Microsoft integrations, we've put together this document. It provides an explanation as to why we require a Global Admin connection first, as well as answers to some other general security concerns.
Security overview
- To install the Simpplr app into SharePoint, the Microsoft Global Admin user must connect their account before any other users do. See below for further instructions. The Admin's OAuth tokens are NOT stored in Simpplr, and are only needed to provide consent to the rest of the users' connections.
- Once complete, each user will need to connect their account at the User Profile level in the Profile & settings section. Users will only need to connect their account once.
- File permissions do not change once sites are integrated with Simpplr. For more information on file permission levels within SharePoint, click here.
- Updating the Admin user's SharePoint password will not affect the integration in any way. No connections will be disrupted if you change your SharePoint password.
Simpplr asks the Global Admin to consent to several delegated Microsoft permissions before successfully connecting. Once the Admin account has been connected, it can be removed. It's only required to approve End user connections. For a full list of Microsoft permissions references and descriptions, click here.
SharePoint Global Admin Consent and Permissions Required
All of these permissions are delegated, and respect the individual user's SharePoint permissions, so users who do not have access to create, update or delete folders and sites within SharePoint, will NOT be able to do so from within Simpplr.
Permission Name | Permission required | Description | Impact if removed |
View your basic profile Read all users basic profiles |
User.ReadBasic.All | Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user. | Unable to sign in and use SharePoint services Users info on files and profile |
Access directory as the signed-in user | Directory.AccessAsUser.All | Allows the app to have the same access to information in the directory as the signed-in user. | Unable to search for and fetch files |
Have full access to all files you have access to Read and write your files |
Files.ReadWrite.All |
Simpplr uses this permission for:
|
Unable to search for and fetch files |
Create, edit, and delete items and lists in all your site collections | Sites.Manage.All |
Simpplr uses this for:
|
Unable to access basic organization structure and file listings with create permission |
Read and write items in all site collections | Sites.ReadWrite.All | Allows the app to edit or delete documents and list items in all site collections on behalf of the signed-in user. | Unable to access basic organization structure and file listings |
Sign-in and read user profile | User.Read | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | Unable to sign in and use SharePoint services |
Edit or delete items in all site collections | Sites.ReadWrite.All |
A subset of Sites.Manage.All, this is specifically required for Update & Delete operations on SP document libraries. Simpplr only makes use of the Update operation to support: Allowing users with access to rename a linked SP document library or folders within the SP document library from Simpplr. |
Unable to access basic organization structure and file listings |
Read and write items and lists in all site collections | AllSites.Manage | This is effectively the same as Sites.Manage.All, however it is required in order to hit legacy SharePoint-exclusive APIs. The Sites.Manage.All API only allows hitting Microsoft Graph APIs |
FAQ
Why do I need a Global Admin (GA) account to connect the SharePoint or OneDrive integrations?
- We need the GA to give consent "on behalf of the organization," so other users can connect their SharePoint (SP) account to Simpplr. Users must connect via their own SP credentials. Once they do, they can search SP and OD document libraries from Simpplr, but only of files that their SP account has access to.
- To access a protected resource like email or calendar data, the Simpplr application needs the resource owner's authorization. That is, we need each user to authorize us to act on their behalf in their security context. The resource owner must consent to or deny the app's request. And before a regular user can give that consent, the Global Admin has to enable all users to do so if they wish. That is what "Consent on behalf of your organization" means and why it's important. Otherwise, the Global Admin would need to approve each employee's request to integrate their SharePoint account to Simpplr on a one-by-one basis.
Does Simpplr store GA OAuth tokens in the Simpplr database for use later?
- No.
- Simpplr uses delegated access. SharePoint OAuth apps must request either to use delegated access, acting on behalf of a signed-in user, or app-only access, acting only as the application's own identity. Simpplr always performs actions in the context of the security permissions and access rights of a particular signed-in SharePoint or OneDrive user who is connected to a Simpplr user.
What other purposes is this OAuth grant used for?
- The OAuth grant is NOT used for any other purposes; only consent for End users to connect.
The OAuth grant asks for a lot of authorization. How can I make sure that the OAuth grant is not used for any other purposes?
- From the Simpplr user account that connected to SharePoint with GA, after you grant consent via OAuth, you should disconnect that user's Simpplr account from SharePoint. This removes the OAuth grant for the GA user, but other users will continue to be allowed to connect their SP account to Simpplr.
Once I grant access by the Global Admin, can Simpplr use this to automatically add new OAuth permission scopes?
- No. If any changes need to be made to the app in the future (e.g. additional permissions need to be requested), those are added to this OAuth app, and the customer Global Admin would only need to consent to the app again in order to grant access to the new permissions. Additional information can be found here: https://learn.microsoft.com/en-us/azure/active-directory/develop/application-model#multi-tenant-apps
What is the name of the Simpplr SharePoint/OneDrive OAuth app?
- The name of the OAuth app is Simpplr for SharePoint/OneDrive for Business.
Can I manually configure my own SP OAuth app for Simpplr?
- No, because it's not needed.The OAuth app that they provide consent to (the one which requests for all the necessary permissions) gets automatically provisioned onto their Azure AD tenant and can be viewed by navigating to portal.azure.com > Enterprise Applications. This OAuth app is a unique app configured by Simpplr with the setting 'Who can use this application or access this API?: Accounts in any organizational directory (Any Azure AD directory - Multitenant)' and is centrally managed by Simpplr itself.
Will updating the Admin's password affect the integration?
- No. Updating a SharePoint Admin user's password will not change the integration in any way once connected.
Comments
Please sign in to leave a comment.