This article discusses permission requirements that are necessary to deploy and use SysKit Point successfully.
Below, reasons for such requirements are described in greater detail.
The first time you connect to your Microsoft 365 tenant, you will be prompted to consent to a set of permissions that SysKit Point requires to function correctly. Additional prompts may show up in the future when installing a newer version of SysKit Point because of new functionality, and in consequence, potentially new required permissions.
Microsoft 365 Global Admin Consent
To achieve its functionality, SysKit Point is registered as an Enterprise Application in Azure Active Directory. The permissions model is based on OAuth and OpenID Connect flows. This enables SysKit Point to consume all of the APIs provided by Microsoft in a standard and well-defined way. It also allows the use of modern authentication, including Multi-Factor Authentication. SysKit Point requires permissions to access several Microsoft APIs. There are two types of required permissions:
- Application permissions - define what SysKit Point can do without a signed-in user.
- Delegated permissions - define what SysKit Point can do in the name of the signed-in user.
The following permissions are required for SysKit Point Installer Enterprise Application:
- SysKit Point Service
- SysKit Point Client
- SysKit Point Permissions Loader
- SysKit Point API - currently in Beta stage and not being used by default
Microsoft 365 Management APIs
The second app registration, SysKit Point Client, enables users to securely sign in to SysKit Point and perform actions they are entitled to, based on their permissions in Microsoft 365 environment. The following permissions are used:
When using Microsoft Authentication Flow to connect a service account, the following Microsoft Graph permissions are added to the SysKit Point Client app registration:
SysKit Point Permissions Loader app registration is used for optimized data Sync for SharePoint and OneDrive data paired with the SysKit Point Service app registration. The following permissions enable SysKit Point to perform these actions:
Microsoft 365 Exchange Online
Microsoft 365 Management APIs
By default, no permissions are added. If Power BI data collection is configured, the following Admin API permissions are given through a specified security group:
- read-only access to all the information available through Power BI admin APIs; for example, user names and emails, dataset and report detailed metadata
- read-only access to detailed metadata about Power BI items; for example, responses from GetScanResult APIs will contain the names of dataset tables and columns
SysKit Point API app registration is used for third-party app integration, meaning you can get SysKit Point data via SysKit Point API and use it in other business applications and web services. This feature is currently in the Beta stage.
By default, the app registration has no permissions added.