SharePoint Content Connector Permissions

This article explains the necessary permissions Templafy requests when the SharePoint Content Connector is configured and accessed. 

What Does the Permissions Request Look Like?

When installing the SharePoint Content Connector in Templafy, Templafy requests some permissions from Microsoft Graph, which prompts a popup window from Microsoft. This typically comes up for the first time when admins click on Find drive in the setup and Templafy attempts to query the Graph API for a list of Document Libraries.

If the user attempting to install the Templafy application is a Microsoft admin, they will see a list of permissions requested and a button to Accept, and have the ability to Consent on behalf of the rest of the organization.

Depending on your organization's policies, if a user without Microsoft admin permission attempts the same Find drive step in the SharePoint content connector setup, they may see one of the below two options:

• Most often, the user will see the same list of permissions to accept, but they do not have ability to consent on behalf of the rest of the organization.
• Sometimes, users will see a different popup informing them that a Microsoft admin must grant the permissions requested.
  

About the Requested Permissions

To use the SharePoint content connector, Templafy requires three scopes, or delegated permissions. This means that any permission given is on behalf of the signed in user, so Templafy will never be able to access anything that the current signed in user can't access. 

• Files.Read.All - This allows Templafy to access and retrieve the folders and files the logged in user has access to. Without this, users would not be able to see or pull in the content from the configured SharePoint Site Library using the Templafy connector.
• Site.Read.All - This allows Templafy to list and search content within Site Libraries that the logged in user has access to. This also allows admins to easily search available Site Libraries when configuring the connector (by using the Find drive button). In this case, admins will also only be able to search Site Libraries that they are allowed to see.
• User.Read - This allows Templafy to see basic information about the user, like their email address.

Templafy also requests permission to maintain access to data you have given it access to. While not a scope, this is a setting we use to ensure we can re-authenticate the user and prevent them from having to continue logging in every hour when their session expires.

Ways to Grant Consent for Permissions

There are three ways consent can be granted for the requested permissions:

• All end-users of the connector will review and accept the requested permissions the first time they log in. User consent only needs to be granted once, and they will only see a permission request popup again if an administrator revokes permissions granted to the application.
• Admins can log in to SharePoint from the Templafy connector and check the option to "Consent on behalf of your organization." In this case, no other users will be prompted to review and accept the permissions.
  

• Admins can allow or add permissions manually from the Templafy Graph Data Connector Enterprise Application in the Azure portal directly. If users are not allowed to consent to applications at all, but can request admin consent, admins can review the consent request to allow access.
  

  Note Admins can choose to restrict access to the Templafy Graph Data Connector app in the Azure portal if required by the organization. This can be controlled on the Overview tab in the Templafy Graph Data Connector Enterprise Application. Then, specific users or user groups can be assigned. More information on this concept can be found here.

Security

• Data Stays Secure: Your data does not pass through Templafy servers. We only store the data you see in the administration: Microsoft Entra ID and drive ID. This means your confidential information remains within your control.
•  In-Browser Fetching: The fetching of content occurs directly in your user's browser or task pane. We use the Microsoft Graph API, and permissions are strictly dictated by this API. You can review the detailed permissions information in the Microsoft Graph Permissions Reference. We use the "Sites.Read.All" and "Files.Read.All" permissions. Importantly, these permissions are applied "on behalf of the signed-in user." This means that when your users use the connector, it queries only the content they have access to in SharePoint using their Microsoft account. There is no intermediary access through Templafy servers.
• Reasoned Permissions: The permissions we request, such as "Read items in all site collections" and "Read all files that you have access to," are meticulously selected to ensure the seamless functionality of our integration. We adhere to the principle of least privilege. For example, to list and search content within document libraries, the "Read items in all site collections" permission is required. Even if a user only needs access to one document library, Microsoft's permissions structure necessitates access to everything the user has access to. Similarly, "Read all files that you have access to" is required to retrieve files behind items in SharePoint/OneDrive.
• User-Centric Authentication: Our integration is designed to focus on the user. OAuth2 integrations include the "View your basic profile" permission by default, which allows us to ensure a convenient user experience. By using the user's email address, we eliminate the need for constant re-login when sessions expire. Additionally, the "Maintain access to data you have given it access to" permission enables seamless re-authentication without user interaction, preventing the need for users to re-login every hour when their sessions expire.
• Transparency: Templafy cannot change the scope it uses without the user being informed first. In the case Templafy changes the scopes it leverages, the user will be prompted with a new consent screen presenting those news scopes. However, as the integration is mature, we don't have any reason to change the scopes.