DocRead 365 requested permissions

DocRead must register a series of enterprise applications with your Microsoft Entra application gallery during installation. These applications allow your tenant users to log in to the DocRead SharePoint app (on sites where the app has been installed). The purpose of this document is to describe what those applications are, what permissions they need, and what their purpose is.

DocRead 365 applications

During installation, DocRead will automatically register the following three enterprise applications in your Microsoft Entra tenant:

  • DocReadDashboard - The DocRead Cockpit application that provides a central dashboard showing the compliance status across all the sites where DocRead was installed.
  • DocReadAPI - Web API used by the DocRead Cockpit and SharePoint apps.
  • DocReadWorker - Background worker application creates and manages user assignments.

Why do we register 3 applications instead of just one?

Registering three distinct applications rather than a single one significantly enhances the security posture of DocRead. This architecture enables precise permission allocation to the specific application that requires it. This allows us to separate application permissions from the delegated permissions. The only application that uses “application” permissions is the worker application that runs in an isolated environment that cannot be accessed from the outside.

You can find more information about permissions and consent here.

DocRead 365 requested permissions

DocRead will ask you to accept the following permissions (you will need to be a Tenant Administrator on your tenant to approve them).

Delegated permissions

The DocReadDashboard and DocReadApi applications use the delegated permissions below. They’re permissions that allow the application to act on a user’s behalf. With delegated permissions the application will never be able to access anything the signed-in user themselves couldn’t access. You can find more information about delegated permissions in this Microsoft Learn Article.

  • User.Read (Graph permission) - Sign in and read user profile
    • Allows users in your tenant to login to DocRead using their Microsoft account
    • Allows DocRead to read the user display name and email so that DocRead knows who the current user is and ensures that they have the required permissions to perform certain tasks in DocRead (e.g. create assignments).
  • User.Read.All (Graph permission) - Read all users’ full profiles
    • Allows DocRead to get user information like email addresses, display name and manager details so that it can create assignments for users, notify users when assignments are created and display the user’s manager details in the DocRead Cockpit application.
  • GroupMember.Read.All (Graph permission) - Read all groups memberships
    • Allows DocRead to identify group members to control access to some of its features.
  • Sites.Read.All (Graph permission) - Read items in all site collections
    • Allows DocRead to get name, title and url of documents that have been attached to DocRead so that it can create reading assignments for those documents.
  • Offline_acess (Graph permission) - Maintain access to data you have given it access to
    • This is a default permission automatically added by Microsoft to the consent page. It allows DocRead to refresh the current user token when the token expires (more information here)

Application permissions

The DocReadWorker app use the application permissions below. The worker app runs in an isolated network environment without access from the outside. It’s main job is to create and manage reading assignments based on user group memberships.

  • Sites.Read.All (Graph permission) - Read items in all site collections
    • Allows DocRead to get the name, title and url of documents attached to DocRead so that it can create reading assignments for those documents.
    • Allows DocRead to be notified when a document changes (via a webhook) so that it can update the document assignments accordingly (e.g. automatically delete assignments when a document is deleted or update the assignment when the document name or title changes).
  • User.Read.All (Graph permission) - Read all users’ full profiles
    • Allows DocRead to get user information like email addresses, display names, and manager details so that it can create assignments for users and notify users when those assignments are created.
  • GroupMember.Read.All (Graph permission) - Read all groups memberships
    • Allows DocRead to identify group members so that it can create assignments for all members when a document is targeted to the group.
  • Sites.Read.All (SharePoint permission) - Read items in all site collections
    • Allows DocRead to use change tokens to ensure it can capture changes to the title, name and version of documents in document libraries that it’s attached to.