It is highly recommended to read this Microsoft identity platform documentation to understand the detailed permissions required by Atlas within the Microsoft identity platform.
Atlas makes use of several Microsoft Entra ID applications (app registrations) for all its features to work. Some of these applications are created during the deployment of Atlas, and others are provided by Microsoft (SharePoint). In all cases, and independently of the type of deployment (new or upgrades), we ensure these applications are registered in Microsoft Entra ID, and we ensure the permissions for each of these are up-to-date to match the needs of Atlas.
This is a list of the applications that Atlas makes use of:
- Atlas.ConneX API: This application is created by ClearPeople. The Atlas API is exposed through this Microsoft Entra ID application (in the Microsoft Entra ID ecosystem, the way to secure and expose your API is through a Microsoft Entra ID application). The SPFx web parts in SharePoint will make calls to this Atlas API service
- Atlas.ConneX Provisioning: This application is created by ClearPeople. It is required to authorise the operations done by most of the background services in Azure, like the Atlas provisioning service
- Atlas.ConneX Workspaces Sync: This application is created by ClearPeople. It is required to authorise exclusively the operations done by the Atlas background synchronisation service in Azure
- SharePoint Online Client Extensibility Web Application Principal: This application is usually registered by Microsoft in Microsoft Entra ID for all tenants making use of modern SharePoint, and the permissions are managed from the SharePoint "API Access" admin page (you can also use PowerShell or Azure CLI). This allows SharePoint Framework Extensions to work through SPFx web parts (all Atlas client interfaces, including Teams and SharePoint, are SPFx-based web parts or extensions). During the deployment, we establish the permissions required for Atlas to work
- (OPTIONAL) Atlas.ConneX API Client: This application is created by ClearPeople. It is required to consume the Atlas API by custom extensions and integration modules like Power Automate connectors
- (OPTIONAL) Atlas.PnP App permissions: Only for additional product support scripts
Atlas.ConneX API permissions
Delegated Permissions *
|
API |
Permissions Name |
Description |
Purpose |
|
Microsoft Graph |
|
|
|
|
|
Channel.Create |
Create channels |
Create channels from workspaces cards in ConneX |
|
|
Channel.ReadBasic.All |
Read the names and descriptions of channels |
List all channels (including Shared channels) from ConneX workspace cards |
|
|
Directory.Read.All |
Read directory data |
Read users' information |
| Files.Read.All | Read all files that user can access | Create a Files tab during the creation of a new Channel | |
|
|
Group.ReadWrite.All |
Read and write directory data |
Join/leave from ConneX cards ** |
|
|
InformationProtectionPolicy.Read |
Read user sensitivity labels and label policies. |
Get the sensitivity labels available for a user |
|
|
Mail.Send |
Send mail as a user |
Send mandatory read reports to users by email |
|
|
Sites.Read.All |
Read items in all site collections |
Get the id of a workspace when a deletion is requested |
|
|
User.Read |
Sign in and read user profile |
Sign in the current user to query the Graph API and read basic user properties |
|
|
User.ReadBasic.All |
Read all users' basic profiles |
Used for the people picker and get other users’ pictures |
|
SharePoint |
|
|
|
|
|
AllSites.Read |
Read items in all site collections |
Check sharing capabilities |
* For delegated permissions, the effective permissions of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user.
** Add members - Microsoft Graph v1.0 | Microsoft Docs
While the Microsoft documentation states that the "GroupMember.ReadWrite.All" permissions should be enough to manage group membership, that permission prevents any operations with "Group" owners (so owners won't be able to leave groups with multiple owners, a scenario that is supported by the Microsoft 365 UI), hence the need to use "Group.ReadWrite.All" instead (a second level less permissive for group membership operations).
Application Permissions *
|
API |
Permissions Name |
Description |
Purpose |
|
Microsoft Graph |
|
|
|
|
|
InformationProtectionPolicy.Read.All
|
Read all published labels and label policies for an organization |
Get all sensitivity labels defined in the tenant |
|
|
Sites.Read.All |
Read items in all site collections |
Get site information |
|
SharePoint |
|
|
|
|
|
Sites.FullControl.All |
Have full control of all site collections |
'Add It' to apply custom permissions on new items creation and break inheritance |
|
|
Sites.ReadWrite.All |
Read and write items in all site collections |
Required to add items into a list |
* For application permissions, the effective permissions of your app are the full level of privileges implied by the permission. For example, an app that has the "User.ReadWrite.All" application permission can update the profile of every user in the organisation.
Atlas.ConneX Provisioning permissions
Application Permissions *
|
API |
Permissions Name |
Description |
Purpose |
|
Microsoft Graph |
|
|
|
|
|
Channel.ReadBasic.All |
Read the names and descriptions of all channels |
Get Channel information when a Shared Channel is created |
|
|
ChannelMember.ReadWrite.All |
Add and remove members from all channels |
Check and complete membership of recently created channels |
|
|
Directory.Read.All |
Read directory data |
Check state of sensibility labels (enabled/disabled) at tenant level |
|
|
Files.Read.All |
Read files in all site collections |
Create a Files tab during the creation of a new Channel |
|
|
Group.ReadWrite.All |
Read and write all groups |
Group management, create, add members, etc. |
|
|
InformationProtectionPolicy.Read.All |
Read all published labels and label policies for an organization |
Get all sensitivity labels defined in the tenant |
|
|
Sites.Read.All |
Read items in all site collections |
Get site information |
|
|
Team.ReadBasic.All |
Get a list of all teams |
Get information relative to a team in Teams |
|
|
TeamsActivity.Send |
Send a teamwork activity to any user |
Allow Teams notifications |
|
|
TeamSettings.ReadWrite.All |
Read and change all teams' settings |
Required during the process of archiving workspaces |
|
|
User.Read.All |
Read all user's full profiles |
Get user information |
|
SharePoint |
|
|
|
|
|
Sites.FullControl.All |
Have full control of all site collections |
Delete site collections from ConneX |
|
|
TermStore.ReadWrite.All |
Read and write managed metadata |
Create a navigation term in megamenu |
|
|
User.ReadWrite.All |
Read and write user profiles |
Used by the "User profile properties synchronisation" background service |
* For application permissions, the effective permissions of your app are the full level of privileges implied by the permission. For example, an app that has the "User.ReadWrite.All" application permission can update the profile of every user in the organisation.
Atlas.ConneX Workspaces Sync
Application Permissions *
|
API |
Permissions Name |
Description |
Purpose |
|
Microsoft Graph |
|
|
|
|
|
Group.ReadWrite.All |
Read and write all groups |
Read, Add, and Remove groups |
|
|
Sites.Read.All |
Read items in all site collections |
Get site information |
|
|
User.Read.All |
Read all user's full profiles |
Get user information |
|
SharePoint |
|
|
|
|
|
User.Read.All |
Read and write user profiles |
Get user information from SharePoint |
* For application permissions, the effective permissions of your app are the full level of privileges implied by the permission. For example, an app that has the "User.ReadWrite.All" application permission can update the profile of every user in the organisation.
SharePoint Online Web Client Extensibility permissions
IMPORTANT: Starting March 2025, Microsoft started to roll out an important change on SharePoint Framework permission grants. The required permissions are now managed through an Enterprise Application called “SharePoint Online Web Client Extensibility”. In the past, the permissions were managed by the “SharePoint Online Client Extensibility Web Application Principal” Entra ID Application, which was automatically registered in your Azure Entra ID when required by the SharePoint Framework. Now, Microsoft is transitioning to this new Enterprise Application, but this process might take time until it is completely applied worldwide, so it is possible that you will not be able to see it in your tenant yet.
WARNING: This application is used by Microsoft as well to provide functionality out of the box in SharePoint. This means that this application will manage more permissions apart from the ones included by Atlas. So, revoking any of them will surely provoke unexpected issues and wrong behaviour in SharePoint components.
Delegated Permissions *
|
API |
Permissions Name |
Description |
Purpose |
|
Microsoft Graph |
|
|
|
|
|
Calendars.Read |
Read user calendars |
In-Focus Everywhere, allows search for user's calendar appointments using Graph API (Events) |
|
|
Contacts.Read |
Read user contacts |
Used by the Microsoft Graph Toolkit persona card in the In-Focus Everywhere people layout |
|
|
Directory.Read.All |
Read directory data |
Content Targeting like the one used for the Launchpad |
|
|
ExternalItem.Read.All |
Read items in external datasets |
In-Focus Everywhere, allows search for connector items using Graph API (External Items) |
|
|
Files.Read.All |
Read all files that user can access |
In-Focus Everywhere allows search for files using Graph API (Drive / Drive items) |
|
|
Group.Read.All |
Read all groups |
Get group info, picture and other information |
|
|
InformationProtectionPolicy.Read |
Read user sensitivity labels and label policies. |
Get the sensitivity labels available for a user |
|
|
Mail.Read |
Read user mail |
In-Focus Everywhere, allows search for user's e-mail using Graph API (Messages). |
|
|
Mail.Send |
Send mail as a user |
Feedback button sends email with feedback (cannot send emails outside of the organization, security limitation of the Graph API). |
|
|
People.Read |
Read users' relevant people lists |
Used by the Microsoft Graph Toolkit persona card in the In-Focus Everywhere people layout |
|
|
Sites.Manage.All |
Create, edit, and delete items and lists in all your site collections |
Used by the Content Type Extensions Utility web part, allowing the user to create their own Content Types inheriting from existing Atlas Content Types or Atlas Extended Content Types |
|
|
Sites.Read.All |
Read items in all site collections |
In-Focus Everywhere, allows search for sites using Graph API (Sites / List Items) |
|
|
TermStore.ReadWrite.All |
Read and write term store data |
Taxonomy controls like 'My Preferences' or managed metadata properties in Add It |
|
|
User.Read |
Sign in and read user profile |
Sign in the current user to query the Graph API and read basic user properties |
|
|
User.Read.All |
Read all users' full profiles |
Used by the Microsoft Graph Toolkit persona card in the In-Focus Everywhere people layout |
|
|
User.ReadWrite |
Read and write access to user profile |
Learning feature ( read/write certifications and awards for current user) |
|
Atlas.ConneX API |
|
|
|
|
|
Workspaces.FullControl.All |
Access the ConneX API |
Provisioning, listing and editing workspaces among other operations |
* For delegated permissions, the effective permissions of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user.
(OPTIONAL) Atlas.ConneX API Client permissions
Delegated Permissions *
|
API |
Permissions Name |
Description |
Purpose |
|
Microsoft Graph |
|
|
|
|
|
User.Read |
Sign in and read user profile |
Sign in the current user to query the Graph API (obtains Authentication token) and read basic user properties |
|
Atlas.ConneX API |
|
|
|
|
|
Workspaces.FullControl.All |
Access the ConneX API |
Provisioning, listing, editing workspaces or list items through specific extensions like the Power Automate connector for workspace provisioning |
* For delegated permissions, the effective permissions of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user.
(OPTIONAL) Atlas.PnP App permissions
This app will only be used for additional product support scripts, since modern versions of PnP PowerShell require an app registration's Service Principal.
Delegated Permissions *
|
API |
Permissions Name |
Description |
Purpose |
|
Microsoft Graph |
|
|
|
|
|
User.Read.All |
Sign in and read user profile |
Sign in the current user to query the Graph API (obtains Authentication token) and read basic user properties |
|
|
Group.Read.All |
Sign in and read all groups |
Sign in the current user to query the Graph API (obtains Authentication token) and read groups of users |
|
Sharepoint |
|
|
|
|
|
AllSites.FullControl.All |
Have full control of all Site Collections |
Read Site Collections if ConneX didn't find yet. |
|
|
TermStore.Read.All |
Read managed metadata |
Read managed metadata and basic Site info. Used if the site is not in ConneX. |
|
|
User.Read.All |
Read SharePoint user data |
|
* For delegated permissions, the effective permissions of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user.
Comments
0 comments
Please sign in to leave a comment.