Article published on the 12th of April, 2024.
Contents
1. Introduction
When installing the WorkPoint 365 app on your Microsoft 365 tenant, an administrator needs to consent to give permissions for the WorkPoint 365 API and jobs to perform certain actions.
The WorkPoint 365 API and jobs use the "Admin consent" type, i.e. a Microsoft 365 global administrator will be asked to grant certain Application and Delegated permissions on behalf of all users in the organization.
- "Application" access is employed when WorkPoint requires access to specific data independently to perform system-level functions, such as managing security or automating workflows.
- "Delegated" access is utilized to ensure that WorkPoint can interact seamlessly with user-specific data, empowering it to perform actions on behalf of individual users.
These access types are essential to enable WorkPoint to effectively manage and streamline business processes, maintain robust security protocols, and provide personalized user experiences within the WorkPoint 365 solution.
The WorkPoint 365 application utilizes the same authentication infrastructure as Microsoft 365, ensuring your data is protected within the Microsoft 365 security framework. This includes multi-factor authentication and Conditional Access Policy. The sign-in process for WorkPoint 365 uses identical screens provided by Microsoft, mirroring the Microsoft 365 login experience.
Users can access WorkPoint 365 data based on their existing Microsoft 365 permissions and cannot access data beyond their authorization. For example, the SharePoint Sites.Read.All scope allows users to view SharePoint data they are already permitted to access, without extending their access to all SharePoint data. This ensures data governance remains consistent across platforms.
Whether through SharePoint or WorkPoint 365 interfaces, user access is strictly controlled by their SharePoint permissions under the Microsoft 365 sign-in infrastructure. This maintains data security, ensuring it remains inaccessible to those outside your Microsoft 365 tenant.
It's important to note that granting permissions required by WorkPoint 365 does not allow WorkPoint employees access to your organization's data.
2. WorkPoint permissions
Installing and using WorkPoint requires an administrator to grant a set of permissions.
Which permissions are requested, as well as a justification for their usage are given in the sections below.
Please note that WorkPoint jobs always use Application permissions.
To read Microsoft Graph, WorkPoint uses the following Application and Delegated permissions:
-
Application
- Directory.Read.All Allows WorkPoint to read data in your organization's directory, such as users, groups and apps, without a signed-in user. WorkPoint uses this when running backend and maintenance jobs in WorkPoint.
- User.Read.All Allows WorkPoint to read user profiles without a signed in user. WorkPoint uses this when running backend and maintenance jobs in WorkPoint.
-
Delegated
- User.Read Allows users to sign-in to the WorkPoint App and allows WorkPoint to read the profile of signed-in users. It also allows WorkPoint to read basic company information of signed-in users.
- Sites.Read.All Allows WorkPoint to read documents and list items in all site collections.
- Application.Read.All Allows WorkPoint to read applications and service principals. WorkPoint uses this permission to ensure all consent for WorkPoint is in place.
- AppRoleAssignment.ReadWrite.All Allows WorkPoint to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app. WorkPoint uses this to grant specific Application Permissions for the WorkPoint App as this is not possible to define via Microsoft consent v2 endpoint. This permission can be revoked after installation.
- DelegatedPermissionGrant.ReadWrite.All Allows WorkPoint o manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on behalf of the signed in user. WorkPoint uses this to grant specific delegated permissions to the WorkPoint App itself. This permission can be revoked after installation.
To read SharePoint, WorkPoint uses the following Application and Delegated permissions:
-
Application
- Sites.FullControl.All WorkPoint will need this permission creating sites and site collection and for running several other backend jobs and run maintenance on WorkPoint site collections.
- TermStore.ReadWrite.All Allows WorkPoint to write enterprise managed metadata and to read basic site info without a signed in user. WorkPoint uses this for provisioning term sets and terms to use in multiple WorkPoint features.
-
Delegated
- AllSites.FullControl Allows WorkPoint to have full control of all site collections. WorkPoint uses this whenever SharePoint data is displayed or modified in the context of WorkPoint. i.e. User Processes, Wizards etc.
- Sites.Search.All Allows WorkPoint to run search queries and to read basic site info on behalf of the current signed-in user. Search results are based on the user's permissions instead of the app's permissions. WorkPoint uses this whenever SharePoint Search in used in context of WorkPoint i.e. User Process, Wizards, Express Panel etc.
- TermStore.ReadWriteAll Allows WorkPoint to read, create, update, and delete managed metadata. WorkPoint uses this for provisioning term sets and terms to use in multiple WorkPoint features.
Comments
0 comments
Please sign in to leave a comment.