SharePoint Content Connector Permissions

About this article

This article explains the necessary permissions Templafy requests when the SharePoint Content Connector is configured and accessed. 

Sections in this article:

• What Does the Permissions Request Look Like?
• About the Requested Permissions
• Ways to Grant Consent for Permissions

Prerequisites

What Does the Permissions Request Look Like?

When installing the SharePoint Content Connector in Templafy, Templafy requests some permissions from Microsoft Graph, which prompts a popup window from Microsoft. This typically comes up for the first time when admins click on Find drive in the setup and Templafy attempts to query the Graph API for a list of Document Libraries.

If the user attempting to install the Templafy application is a Microsoft admin, they will see a list of permissions requested and a button to Accept, and have the ability to Consent on behalf of the rest of the organization.

Depending on your organization's policies, if a user without Microsoft admin permission attempts the same Find drive step in the SharePoint content connector setup, they may see one of the below two options.

• Most often, the user will see the same list of permissions to accept, but they do not have ability to consent on behalf of the rest of the organization

• Sometimes, users will see a different popup informing them that a Microsoft admin must grant the permissions requested.

About the Requested Permissions

To use the SharePoint content connector, Templafy requires three scopes, or delegated permissions. This means that any permission given is on behalf of the signed in user, so Templafy will never be able to access anything that the current signed in user can't access. 

• Files.Read.All - This allows Templafy to access and retrieve the folders and files the logged in user has access to. Without this, users would not be able to see or pull in the content from the configured SharePoint Site Library using the Templafy connector.
• Site.Read.All - This allows Templafy to list and search content within Site Libraries that the logged in user has access to. This also allows admins to easily search available Site Libraries when configuring the connector (by using the Find drive button). In this case, admins will also only be able to search Site Libraries that they are allowed to see.
• User.Read - This allows Templafy to see basic information about the user, like their email address.

Templafy also requests permission to maintain access to data you have given it access to. While not a scope, this is a setting we utilize to ensure we can re-authenticate the user and prevent them from having to continue logging in every hour when their session expires.

Ways to Grant Consent for Permissions

There are three ways consent can be granted for the requested permissions:

• All end-users of the connector will review and accept the requested permissions the first time they log in. User consent only needs to be granted once, and they will only see a permission request popup again if an administrator revokes permissions granted to the application.
• Admins can log in to SharePoint from the Templafy connector and check the option to "Consent on behalf of your organization." In this case, no other users will be prompted to review and accept the permissions.

• Admins can allow or add permissions manually from the Templafy Graph Data Connector Enterprise Application in the Azure portal directly. If users are not allowed to consent to applications at all, but can request admin consent, admins can review the consent request to allow access.

Related articles