Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

Introduction

SphereShield requires you to register an app in Azure.

Please note the application needs to be registered by your Global Administrator

The registration process is described here

App Options

There are 3 different types of Standard App

  1. Compliance and Channel management - Sign in, read and write content. Required for compliance deployment (Ethical Wall, DLP) and channel management by API.

  2. Sign in And Groups - Sign in and read groups . Required for Portal authentication For Webex/Zoom/Slack and for MS Teams Proxy.

3. Sign in and eDiscovery - Sign in and read content for eDiscovery. Required for MS Teams eDiscovery by API.

Below are the permissions needed for each App

Compliance and Channel management Permissions


This app would like to:

Sign in and read user profile

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

This is a permission requested to access your data in AGAT Software.

Read items in all site collections

Allows the app to read documents and list items in all site collections without a signed in user.

This is a permission requested to access your data in AGAT Software.

Read and write items in all site collections

Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user.

This is a permission requested to access your data in AGAT Software.

Read all OneNote notebooks

Allows the app to read all the OneNote notebooks in your organization, without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read and write files in all site collections

Allows the app to read, create, update and delete all files in all site collections without a signed in user.

This is a permission requested to access your data in AGAT Software.

Read files in all site collections

Allows the app to read all files in all site collections without a signed in user.

This is a permission requested to access your data in AGAT Software.

Read and write all users' full profiles

Allows the app to read and update user profiles without a signed in user.

This is a permission requested to access your data in AGAT Software.

Read all users' full profiles

Allows the app to read user profiles without a signed in user.

This is a permission requested to access your data in AGAT Software.

Read all audit log data

Allows the app to read and query your audit log activities, without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Flag chat messages for violating policy

Allows the app to update Microsoft Teams 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing.

This is a permission requested to access your data in AGAT Software.

Read all chat messages

Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams.

This is a permission requested to access your data in AGAT Software.

Read all channel messages

Allows the app to read all channel messages in Microsoft Teams

This is a permission requested to access your data in AGAT Software.

Flag channel messages for violating policy

Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing.

This is a permission requested to access your data in AGAT Software.

Read all groups

Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read and write all groups

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read directory data

Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read and write directory data

Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.

This is a permission requested to access your data in AGAT Software.

Read and write all group memberships

Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted.

This is a permission requested to access your data in AGAT Software.

Read and write all OneNote notebooks

Allows the app to read all the OneNote notebooks in your organization, without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Add and remove members from all teams

Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner.

This is a permission requested to access your data in AGAT Software.

Add and remove members from all channels

Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner.

This is a permission requested to access your data in AGAT Software.

Add and remove members from all chats

Add and remove members from all chats, without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Sign in and read user profile

Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allow the app to read basic company information of signed-in users.

This is a permission requested to access your data in AGAT Software.

If you accept, this app will get access to the specified resources for all users in your organization. No one else will be prompted to review these permissions.

Accepting these permissions means that you allow this app to use your data as specified in their terms of service and privacy statement. You can change these permissions at https://myapps.microsoft.comShow details

Create tabs in Microsoft Teams.

Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs.

Read and write tabs in Microsoft Teams.

Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user and also for teams the user is a member of. Does not give the ability to read or write application-specific settings.

Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs.


Read and write user chat messages

Allows an app to read and write 1 on 1 or group chats threads, on behalf of the signed-in user.

This is a permission requested to access your data in AgatDevelopment.

Create chats

Allows the app to create chats on behalf of the signed-in user.

This is a permission requested to access your data in AgatDevelopment.

Sign in And Groups Permissions

This app would like to:

Sign in and read user profile

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

This is a permission requested to access your data in AGAT Software.

Read all groups

Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read all users' full profiles

Allows the app to read user profiles without a signed in user.

This is a permission requested to access your data in AGAT Software.

If you accept, this app will get access to the specified resources for all users in your organization. No one else will be prompted to review these permissions.

Accepting these permissions means that you allow this app to use your data as specified in their terms of service and privacy statement. You can change these permissions at https://myapps.microsoft.comShow details

Sign in and eDiscovery Permissions

This app would like to:

Sign in and read user profile

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

This is a permission requested to access your data in AGAT Software.

Read names and members of all chat threads

Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read and write calendars in all mailboxes

Allows the app to create, read, update, and delete events of all calendars without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read calendars in all mailboxes

Allows the app to read events of all calendars without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read all groups

Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read mail in all mailboxes

Allows the app to read mail in all mailboxes without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read all chat messages

Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams.

This is a permission requested to access your data in AGAT Software.

Read all audit log data

Allows the app to read and query your audit log activities, without a signed-in user.

This is a permission requested to access your data in AGAT Software.

Read all users' full profiles

Allows the app to read user profiles without a signed in user.

This is a permission requested to access your data in AGAT Software.

Read files in all site collections

Allows the app to read all files in all site collections without a signed in user.

This is a permission requested to access your data in AGAT Software.

If you accept, this app will get access to the specified resources for all users in your organization. No one else will be prompted to review these permissions.

Accepting these permissions means that you allow this app to use your data as specified in their terms of service and privacy statement. You can change these permissions at https://myapps.microsoft.comShow details

Permissions for chat and file control only

If all that is required is to enforce Ethical Wall and DLP policies on chat and files we can create a custom app with limited permissions.

For chat & file control we will only need the flowing permissions (and a separate app will be step up like this):

Permissions for file control only

If all that is required is to enforce Ethical Wall and DLP policies on files we can create a custom app with limited permissions.

For file control we will only need the flowing permissions (and a separate app will be step up like this):

Option for Private Customer App

In the event that a customer is unhappy with the permissions above, AGAT offers an option for the customer to create the SphereShield app in their own tenant. This means that AGAT won’t have any permissions to the customer tenant, but the customer will be the owner of the app with the permissions required.

The registration process will be the same but requires changing the app ID to the new one and browsing the new URL. Permissions then need to be granted.

In the “Cloud Initial Configuration” the new app ID and secret need to be used.

AGAT software support will be able to help the customer through the process if necessary.

You can also see the below documentation on how to manually create and register the Azure App required for API connection.

Manually creating the Azure AD Application Registration required for API connection

Production Key Vault and Certificate

Protocol used by Azure app for authentication

The app is a native Microsoft deployment and uses OAuth2 as documented here:

https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

  • No labels