Document permissions needed

[cblomart]

Category

[ ] Bug [x] Enhancement

Problem Area

[ ] Page Transformation: Error during the setup/use of the Page Transformation UI solution (did you check our troubleshooting guide?) [ ] Page Transformation: Error during the use of page transformation from PnP PowerShell [ ] Page Transformation: Error during the use of page transformation from .Net [ ] Page Transformation: Page is not looking correct after transformation [x] Modernization Scanner: something went wrong...

Expected or Desired Behavior

The doc mentions that that advised method of authentication is via an Azure AD app. The documented permissions are "sites.fullcontrol.all" as app permission and "user.read" as a delegated permission.

We intend to use the application for its scanning capabilities and not to transform anything. I would then expect the permissions to be much more limited.

Is there a possibility to reduce these permissions?

I opened an issue on the doc page first so here is the reference: https://github.com/SharePoint/sp-dev-docs/issues/6022

[pkbullock]

Hi

Unfortunately not, this is more of a limitation with the Azure AD app api permission itself that doesn’t offer a tenant level read option or full read of site collections and its configuration.

Paul

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Blomart Cédric notifications@github.com Sent: Friday, July 10, 2020 4:21:53 PM To: pnp/sp-dev-modernization sp-dev-modernization@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: [pnp/sp-dev-modernization] Document permissions needed (#493)

Category

[ ] Bug [x] Enhancement

Problem Area

[ ] Page Transformation: Error during the setup/use of the Page Transformation UI solution (did you check our troubleshooting guidehttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSharePoint%2Fsp-dev-modernization%2Fblob%2Fdev%2FSolutions%2FPageTransformationUI%2Fdocs%2Ftroubleshootingguide.md&data=02%7C01%7Cpaul.bullock%40capacreative.co.uk%7C43ced174e2354662acfc08d824e4faa7%7Cb65b38dfdc4640ca92b9547172742753%7C0%7C0%7C637299913171735664&sdata=8PZ%2FQW9qCmEnL%2Bqxtr72tjpqc5qIA%2FhUyiM3gbWUjOA%3D&reserved=0?) [ ] Page Transformation: Error during the use of page transformation from PnP PowerShell [ ] Page Transformation: Error during the use of page transformation from .Net [ ] Page Transformation: Page is not looking correct after transformation [x] Modernization Scanner: something went wrong...

Expected or Desired Behavior

The doc mentions that that advised method of authentication is via an Azure AD app. The documented permissions are "sites.fullcontrol.all" as app permission and "user.read" as a delegated permission.

We intend to use the application for its scanning capabilities and not to transform anything. I would then expect the permissions to be much more limited.

Is there a possibility to reduce these permissions?

I opened an issue on the doc page first so here is the reference: SharePoint/sp-dev-docs#6022https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSharePoint%2Fsp-dev-docs%2Fissues%2F6022&data=02%7C01%7Cpaul.bullock%40capacreative.co.uk%7C43ced174e2354662acfc08d824e4faa7%7Cb65b38dfdc4640ca92b9547172742753%7C0%7C0%7C637299913171745659&sdata=cm5QxUc62dsd7e4AAF4%2BxFIspec3XKF%2BqEomN3UWmlk%3D&reserved=0

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpnp%2Fsp-dev-modernization%2Fissues%2F493&data=02%7C01%7Cpaul.bullock%40capacreative.co.uk%7C43ced174e2354662acfc08d824e4faa7%7Cb65b38dfdc4640ca92b9547172742753%7C0%7C0%7C637299913171755655&sdata=Rz3Dnd3C%2FUukz86tcqWXrxCvIqCmERI%2ByEpIzoMNgMg%3D&reserved=0, or unsubscribehttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACC7Z4JP7NWRTU5UQI3GAFDR24WZDANCNFSM4OWWCSQQ&data=02%7C01%7Cpaul.bullock%40capacreative.co.uk%7C43ced174e2354662acfc08d824e4faa7%7Cb65b38dfdc4640ca92b9547172742753%7C0%7C0%7C637299913171755655&sdata=q36%2Fa176hqTRATeQ0N0AQtRbQEzC%2Bv7714IEygk4n9c%3D&reserved=0.

[cblomart]

A pitty SharePoint and Azure AD doesn't help define this type of app permission (i get that site.read.all would be limited maybe not able to look at configs).

We'll have to look if we can work with sites.fullcontrol.all then (which is scary every time I write it 😨)

[pkbullock]

I agree, wish there were granular permissions, there are plenty of customers I work with would appreciate the capability as well.

There is the option for setting up a dev tenant or if you have access to a demo tenant and doing a test run to better understand its operation. The source code is all open source so you can see what the scanner does under the hood.

Additionally, once the scan is complete, simply remove the consent on the Azure AD app to block its use when idle or remove once you have completed the scan. Keep any secrets or certificates in a secure location.

Hope this helps and good luck!

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Blomart Cédric notifications@github.com Sent: Friday, July 10, 2020 5:15:04 PM To: pnp/sp-dev-modernization sp-dev-modernization@noreply.github.com Cc: Paul Bullock paul.bullock@capacreative.co.uk; Comment comment@noreply.github.com Subject: Re: [pnp/sp-dev-modernization] Document permissions needed (#493)

A pitty SharePoint and Azure AD doesn't help define this type of app permission (i get that site.read.all would be limited maybe not able to look at configs).

I get we'll have look if we can work with sites.fullcontrol.all then (which is scary every time I write it 😨)

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpnp%2Fsp-dev-modernization%2Fissues%2F493%23issuecomment-656759424&data=02%7C01%7Cpaul.bullock%40capacreative.co.uk%7C33446b396f0c429ffd0e08d824ec6874%7Cb65b38dfdc4640ca92b9547172742753%7C0%7C0%7C637299945082629077&sdata=%2Fx5irUgKYzi5s%2BI9a%2BHb9JOwB2VSM5ztAInrtLCPzMw%3D&reserved=0, or unsubscribehttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACC7Z4IMO6VYNBNTDN4EJJ3R245ARANCNFSM4OWWCSQQ&data=02%7C01%7Cpaul.bullock%40capacreative.co.uk%7C33446b396f0c429ffd0e08d824ec6874%7Cb65b38dfdc4640ca92b9547172742753%7C0%7C0%7C637299945082639069&sdata=Y9eMDeyrGc80ffQsjn2WnU%2FCVPCu8DHgwp6ZQRpFKRs%3D&reserved=0.

[jansenbe]

Thanks @pkbullock for the detailed feedback.

@cblomart : next to what Paul already mentioned you can always run the scan with a user account, this way you can scope the permissions to just the sites you want to scan. If you plan to scan all sites then app-only is the recommended option as granting a user account access to all sites is cumbersome.

[jansenbe]

Closing this issue as the changing the auth model is not in scope of this project and all the needed information has been provided.