DocRead 365 requested permissions

DocRead must register a series of enterprise applications with your Microsoft Entra application gallery during installation. These applications allow your tenant users to log in to the DocRead SharePoint app (on sites where the app has been installed). The purpose of this document is to describe what those applications are, what permissions they need, and what their purpose is.

DocRead 365 applications

During installation, DocRead will automatically register the following three enterprise applications in your Microsoft Entra tenant:

  • DocReadDashboard - The DocRead Cockpit application that provides a central dashboard showing the compliance status across all the sites where DocRead was installed.
  • DocReadAPI - Web API used by the DocRead Cockpit and SharePoint apps.
  • DocReadWorker - Background worker application creates and manages user assignments.

Why do we register 3 applications instead of just one?

To enhance the security posture of DocRead, we register three distinct applications rather than just one. This setup allows for precise permission allocation tailored to the specific needs of each application. It also facilitates the segregation of application permissions from delegated permissions. The only application using “application” permissions is the DocReadWorker, which operates in an isolated environment not accessible from SharePoint or any external systems.

You can find more information about permissions and consent here.

DocRead 365 requested permissions

DocRead will ask you to accept the following permissions (you will need to be a Tenant Administrator on your tenant to approve them).

Delegated permissions

The DocReadDashboard and DocReadApi applications use the delegated permissions below. They’re permissions that allow the application to act on a user’s behalf. With delegated permissions, the application will never be able to access anything the signed-in users themselves couldn’t access. You can find more information about delegated permissions in this Microsoft Learn Article.

With “delegated permissions”, the application will never be able to access anything the signed-in users themselves couldn’t access

  • User.Read (Graph permission) - Sign in and read user profile
    • Allows users in your tenant to login to DocRead using their Microsoft account
    • Allows DocRead to read the user display name and email so that DocRead knows who the current user is and ensures that they have the required permissions to perform certain tasks in DocRead (e.g. create assignments).
  • User.Read.All (Graph permission) - Read all users’ full profiles
    • Allows DocRead to get user information like email addresses, display name and manager details so that it can create assignments for users, notify users when assignments are created and display the user’s manager details in the DocRead Cockpit application.
  • Group.Read.All (Graph permission) - Read all groups memberships
    • Allows DocRead to identify group members to control access to some of its features.
  • Sites.Read.All (Graph permission) - Read items in all site collections
    • Allows DocRead to get the name, title and URL, of documents that have been attached to DocRead so that it can create reading assignments for those documents.
  • Offline_acess (Graph permission) - Maintain access to data you have given it access to
    • This is a default permission automatically added by Microsoft to the consent page. It allows DocRead to refresh the current user token when the token expires (more information here)

Application permissions

The DocReadWorker app uses the application permissions below. The worker app runs in an isolated network environment without access from the outside. Its main job is to create and manage reading assignments based on user group memberships.

The only DocRead app that uses “application permissions” is the DocReadWorker, which runs in an isolated network environment with no direct access from the outside.

  • User.Read.All (Graph permission) - Read all users’ full profiles
    • Allows DocRead to get user information like email addresses, display names, and manager details to create user assignments and to notify users when those assignments are created.
  • GroupMember.Read.All (Graph permission) - Read all groups memberships
    • Allows DocRead to identify group members so that it can create assignments for all members when a document is targeted to the group.
  • Sites.Read.All (SharePoint permission) - Read items in all site collections
    • Allows DocRead to use change tokens to ensure it can capture changes to the title, name and version of documents in document libraries that it’s attached to.
    • Allows DocRead to get the name, title and URL, of documents attached to DocRead so that it can create reading assignments for those documents.
    • Allows DocRead to be notified when a document changes so that it can update the document assignments accordingly (e.g. automatically delete assignments when a document is deleted or update the assignment when the document name or title changes).