Permission Requirements

This article discusses permission requirements that are necessary to successfully install and use SysKit Point.

Depending on where you are deploying SysKit Point - Cloud or on-premises - various permissions are needed to install and configure SysKit Point successfully. All information on this topic is available in multiple articles grouped by the deployment type. Here, a quick overview of said articles is given, as well as the description of permissions required regardless of the deployment type.

Cloud

When deploying SysKit Point to Cloud, use the following articles to prepare your Azure environment for installation and configuration of SysKit Point:

Click the appropriate link to learn more about the requirements for each of the mentioned resources.

On-Premises

When deploying SysKit Point on-premises, you can find all information in the following articles:

Click the appropriate link to learn more about the requirements for each of the mentioned resources.

Office 365

No matter the deployment type, when configuring SysKit Point, it is required for you to connect to Office 365 with a Global Administrator account.

Please note! Office 365 Global Admin credentials are only needed when configuring SysKit Point for the first time.

Below, reasons for such requirements are described in greater detail.

Global Administrator

When connecting to an Office 365 tenant during the configuration process, you need to connect with a Global Administrator account.

The first time you connect to your Office 365 tenant, you will be prompted to consent to a set of permissions that SysKit Point requires to function correctly. Additional prompts may show up in the future when installing a newer version of SysKit Point because of new functionality, and in consequence, potentially new required permissions.

Office 365 Global Admin Consent

SysKit Point App Permissions

Please note! Permissions described bellow are automatically granted to SysKit Point by giving consent during the configuration process.

To achieve its functionality, SysKit Point is registered as an Enterprise Application in Azure Active Directory. The permissions model is based on OAuth, and OpenID Connect flows. This enables us to consume all of the APIs provided by Microsoft in a standard and well-defined way. It also allows us to use modern authentication, including Multi-Factor Authentication. SysKit Point requires permissions to access several Microsoft APIs. There are two types of required permissions:

  • Application permissions - define what SysKit Point can do without a signed-in user.

  • Delegated permissions - define what SysKit Point can do in the name of the signed-in user.

The following permissions are required for SysKit Point Enterprise Application:

Microsoft Graph

Permissions

Type

Reason

Maintain access to data you have given it access to

Delegated

Allows SysKit Point to always show you the latest data about your environment.

Sign users in

Delegated

Allows SysKit Point to scan your environment as signed-in user

Read all users' full profiles

Delegated

Allows SysKit Point to read your users' profiles and show you reports based on that data.

Access directory as the signed-in user

Delegated

Allows SysKit Point to access your directory.

Read directory data

Delegated

Allows SysKit Point to autodiscover your sites, groups, and users.

Read and write all groups

Delegated

Allows SysKit Point to read Office 365 group data and show you reports based on that data. Additionally, allows you to manage your groups from SysKit Point.

Read items in all site collections

Delegated

Allows SysKit Point to read documents and list items in all site collections and show you reports based on that data.

Read all usage reports

Delegated

Allows SysKit Point to read usage reports generated by Microsoft.

Send mail as a user

Delegated

Allows SysKit Point to send emails as a signed-in user so you can be notified if something important happens. (coming soon)

Office 365 SharePoint Online

Permissions

Type

Reason

Have full control of all site collections

Delegated

Allows you to manage your Site Collections directly from SysKit Point.

Skype For Business PowerShell Server Application

Permissions

Type

Reason

Have full access to the Skype Remote PowerShell Azure services

Delegated

Allows SysKit Point to gather additional data about your Microsoft Teams.

Windows Azure Service Management API

Permissions

Type

Reason

Access Azure Service Management as organization users

Delegated

Allows SysKit Point to create an additional application in your tenant for safer data access.

To allow safer access to your Office 365 tenant data and to use Microsoft Authentication for signing in your users to SysKit Point, two additional app registrations are created:

  • SysKit Point Service

  • SysKit Point Client

SysKit Point Service

SysKit Point Service app registration is used for data Sync and audit log collection. The following permissions enable SysKit Point to perform these actions:

Microsoft Graph

Permissions

Type

Reason

Read directory data

Application

Allows SysKit Point to autodiscover your sites, groups, and users.

Read and write all groups

Application

Allows SysKit Point to read Office 365 group data and show you reports based on that data. Additionally, allows you to manage your groups from SysKit Point.

Read all usage reports

Application

Allows SysKit Point to read usage reports generated by Microsoft.

Have full control on all sites

Application

Allows SysKit Point to read documents and list items in all site collections and show you reports based on that data.

Read all users' full profiles

Application

Allows SysKit Point to read your users' profiles and show you reports based on that data.

Office 365 Management APIs

Permissions

Type

Reason

Read activity data for your organization

Delegated, Application

Allows SysKit Point to read your organization's audit logs.

Read service health information for your organization

Delegated, Application

Allows SysKit Point to read your organization's audit logs.

Skype For Business PowerShell Server Application

Permissions

Type

Reason

Have full access to the Skype Remote PowerShell Azure services

Delegated

Allows SysKit Point to gather additional data about your Microsoft Teams.

SysKit Point Client

The second app registration, SysKit Point Client, enables users to securely log in to SysKit Point and perform actions they are entitled to do, based on their permissions in Office 365 environment. The following permissions are used:

Microsoft Graph

Permissions

Type

Reason

Maintain access to data you have given it access to

Delegated

Allows SysKit Point to always show you the latest data about your environment.

Sign users in

Delegated

Allows SysKit Point to scan your environment as signed-in user

Read all users' full profiles

Delegated

Allows SysKit Point to read your users' profiles and show you reports based on that data.

Access directory as the signed-in user

Delegated

Allows SysKit Point to access your directory.

Read directory data

Delegated

Allows SysKit Point to autodiscover your sites, groups, and users.

Read and write all groups

Delegated

Allows SysKit Point to read Office 365 group data and show you reports based on that data. Additionally, allows you to manage your groups from SysKit Point.

Read items in all site collections

Delegated

Allows SysKit Point to read documents and list items in all site collections and show you reports based on that data.

Read all usage reports

Delegated

Allows SysKit Point to read usage reports generated by Microsoft.

Send mail as a user

Delegated

Allows SysKit Point to send emails as a signed-in user so you can be notified if something important happens. (coming soon)

Office 365 SharePoint Online

Permissions

Type

Reason

Have full control of all site collections

Delegated

Allows you to manage your Site Collections directly from SysKit Point.

Related Topics