Syskit Point
Schedule a DemoStart a Free TrialContact UsProduct Site
  • Syskit Point
  • Releases
    • Syskit Point Cloud
      • May 13, 2025
      • May 06, 2025
      • April 29, 2025
      • April 22, 2025
      • April 08, 2025
      • April 01, 2025
      • March 25, 2025
      • March 18, 2025
      • March 11, 2025
      • March 04, 2025
      • February 25, 2025
      • February 18, 2025
      • February 11, 2025
      • February 06, 2025
      • January 28, 2025
      • January 22, 2025
      • January 14, 2025
      • January 02, 2025
      • December 17, 2024
      • December 10, 2024
      • December 03, 2024
      • November 26, 2024
      • November 19, 2024
      • November 05, 2024
      • October 29, 2024
      • October 22, 2024
      • October 15, 2024
      • October 08, 2024
      • October 01, 2024
      • September 24, 2024
      • September 18, 2024
      • September 02, 2024
      • August 26, 2024
      • August 20, 2024
      • August 12, 2024
      • August 06, 2024
      • July 29, 2024
      • July 23, 2024
      • July 02, 2024
      • June 18, 2024
      • June 04, 2024
      • May 21, 2024
      • May 09, 2024
      • April 23, 2024
      • April 9, 2024
      • March 26, 2024
      • March 12, 2024
      • February 22, 2024
      • February 06, 2024
      • January 19, 2024
      • January 18, 2024
      • December 19, 2023
      • November 30, 2023
      • November 15, 2023
      • November 2, 2023
      • November 2, 2023 - Announcement
      • October 17, 2023
      • October 3, 2023
      • September 21, 2023
      • September 14, 2023
      • September 7, 2023
      • August 23, 2023
      • August 9, 2023
      • July 26, 2023
      • July 12, 2023
      • May 16, 2023
    • Syskit Point Data Center
      • Syskit Point 2025.2
        • Syskit Point 2025.2.90
        • Syskit Point 2025.2.86
        • Syskit Point 2025.2.82
        • Syskit Point 2025.2.78
      • Syskit Point 2024.6
        • Syskit Point 2024.6.73
        • Syskit Point 2024.6.71
        • Syskit Point 2024.6.70
      • Syskit Point 2024.5
        • Syskit Point 2024.5.67
        • Syskit Point 2024.5.65
      • Syskit Point 2024.4
        • Syskit Point 2024.4.60
        • Syskit Point 2024.4.54
        • Syskit Point 2024.4.52
      • Syskit Point 2024.3
        • Syskit Point 2024.3.48
      • Syskit Point 2024.2
        • Syskit Point 2024.2.45
      • Syskit Point 2024.1
        • Syskit Point 2024.1.43
        • Syskit Point 2024.1.41
      • Syskit Point 2023.5
        • Syskit Point 2023.5.39
      • Syskit Point 2023.4
        • Syskit Point 2023.4.1
        • Syskit Point 2023.4.0
      • Syskit Point 2023.3
      • Syskit Point 2023.2
      • Syskit Point 2023.1
        • Syskit Point 2023.1.3
        • Syskit Point 2023.1.2
        • Syskit Point 2023.1.1
        • Syskit Point 2023.1.0
      • Syskit Point 2022.5
        • Syskit Point 2022.5.1
        • Syskit Point 2022.5.0
      • Syskit Point 2022.4
        • Syskit Point 2022.4.1
        • Syskit Point 2022.4.0
      • Syskit Point 2022.3
        • Syskit Point 2022.3.1
        • Syskit Point 2022.3.0
      • Syskit Point 2022.2
        • Syskit Point 2022.2.3
        • Syskit Point 2022.2.2
        • Syskit Point 2022.2.1
        • Syskit Point 2022.2.0
      • Syskit Point 2021.12
      • Syskit Point 2021.11
      • Syskit Point 2021.10
      • Syskit Point 20
      • Syskit Point 19
        • Syskit Point 19.0.2
        • Syskit Point 19.0.1
        • Syskit Point 19.0.0
  • Requirements
    • Permission Requirements
    • Change Log
  • Set Up Point Cloud
    • Overview
    • Free Trial
    • Free Trial Limits
    • Manage Syskit Point Subscriptions
  • Set Up Point Data Center
    • Deployment
      • Overview
      • System Requirements
      • Deploy Syskit Point
      • Connect to Microsoft 365 Tenant
      • Set Up Custom Domain and SSL Certificate
      • Upgrade Syskit Point
      • Azure Networking
    • Activation
      • Activate Syskit Point
      • Free Trial Data Center
  • Licensing & Activation
    • Licensed Users Count
    • Activation Privacy Statement
  • Get to Know Syskit Point
    • The Syskit Point Starter Kit
    • Navigate Through Syskit Point
    • Collect Microsoft 365 Data
  • Microsoft 365 Inventory
    • Microsoft 365 Inventory Overview
    • Explore Your Microsoft 365 Dashboard
    • Sites
    • Microsoft Teams & Groups
    • Users
    • Copilot Readiness
  • Configuration
    • Syskit Point Configuration Guide
    • Assign and Manage Access to Syskit Point
    • Enable Microsoft Teams Activity Tracking
    • Configure Storage Management in Syskit Point
    • Set Up E-Mail
    • Connect Service Account
    • Customize Audit Logs Collection
    • Upgrade SQL to Managed Identity Authentication
    • Enable Power Platform Data Collection
    • Enable Power BI Data Collection
    • Ignore Service Account Activity Tracking
    • Customize License Reports
    • Customize E-Mails
    • Report Data Limits
    • Turn On Auditing
    • Exclude Users from Receiving Governance Tasks
    • Customize Dashboard
    • Customize Syskit Point Appearance
    • Configure Your Environment for Storage Management
    • Save Custom Views
    • Audit for Syskit Point Settings
    • Manage Connection
  • Reporting
    • Overview
    • External Sharing Reports
    • Access Reports
    • Audit Reports
    • Cleanup & Health Reports
    • Licenses Reports
    • Analytics Reports
    • Sensitivity Labels Reports
    • Power Platform Reports
    • Power BI Reports
  • Storage Management
    • Storage Management Overview
    • Free Up Storage
    • Storage Reports
    • Limit Storage Usage
    • Storage Versioning Limits
  • Governance & Automation
    • Syskit Point Tasks
    • Access Review
      • Enable Automated Access Review
      • Create and Apply Access Review Policies
      • Modify Access Review Options
      • Monitor Access Review in Syskit Point
      • Manually Request Access Review in Syskit Point
    • Lifecycle Management
      • Lifecycle Management - Deprecated
      • Identify Inactive Workspaces
      • Enable Lifecycle Management Automation
      • Monitor Lifecycle Management Tasks in Syskit Point
      • Run Lifecycle Management Actions in Syskit Point
    • Policies
      • Set Up Policies
      • Rules
      • Blocked Users with Assigned Licenses
      • Inactive Guest Users
      • Inactive Workspaces
      • Minimum Number of Owners
      • Maximum Number of Owners
      • Orphaned Workspaces
      • Orphaned Users
      • Tenant Storage Limit
      • Workspaces with Too Many Members
      • Workspaces with Shadow Users
      • Private Workspaces Shared with Everyone
      • Workspaces Without a Sensitivity Label
      • Apply Policies
      • Upgrade to Rules
    • Security and Compliance Checks
      • Security and Compliance Checks
      • Inactive Workspaces
      • Orphaned Workspaces
      • Inactive Guest Users
      • Blocked Users with Assigned Licenses
      • Workspaces with Not Enough Owners
      • Orphaned Users
      • Workspaces with Too Many Owners
      • Tenant Storage Limit
      • Workspaces with Too Many Members
      • Workspaces with Shadow Users
      • Private Workspaces Shared with Everyone
      • Workspaces Without a Sensitivity Label
    • Provisioning
      • Set Up Provisioning
      • Enable or Disable Provisioning
      • Register Yammer App
      • Enable Sensitivity Labels
      • Restrict Microsoft 365 Groups Creation
      • Templates
      • Content & Structure
      • Configure Provisioning Failure Notifications
      • Approval Processes
      • Approve/Reject Requests
      • Manage Requests
      • Hide Workspace Name
    • Access Requests
      • Set Up Access Requests
      • Create Access Requests
      • Apply Access Requests
      • Approval Process
    • Metadata
      • Manage Custom Metadata
      • Request Metadata Review
      • Monitor Metadata Review
    • Sensitivity Review
      • Request Sensitivity Review
      • Monitor Sensitivity Review
    • Privacy Review
      • Request Privacy Review
      • Monitor Privacy Review
    • Syskit Point Teams App
    • Schedule Reports
    • Configure Alerts
    • Manage Sensitivity Labels
  • Access Management
    • Track Microsoft 365 External Users and Their Activities
    • Check Access for Specific Microsoft 365 User
    • Copy User Permissions
    • Delete and Restore Users
    • View Permission Changes in Microsoft 365
    • Supervise Microsoft Teams Private Channels
    • Manage Private Channels Access
    • Complete Power Platform Actions
  • Integrations
    • Overview
    • Syskit Point API
    • Webhooks
    • Examples
      • Webhooks
      • ServiceNow
      • Jira
  • FAQ
    • Security
    • Security Self Assessment Questionnaire
    • Storage Management
    • Free Trial
    • Licensing
    • Activation
    • Purchasing and Discounts
    • Customer Terms
    • Privacy and Compliance
    • Partner Program
    • Site Storage Limits
    • Orphaned Users
    • Inactive Users Detection
    • Provisioning - Content & Structure
  • Troubleshooting
    • Export Diagnostic Logs
    • Setup Diagnostic Logs Export
    • Analytics and Usage Report Issues
  • Explore Syskit Point for Site Owners/Collaborators
    • Syskit Point for Collaborators
    • Resolve Governance Tasks
      • My Tasks
      • Complete Access Review Tasks
      • Complete Metadata Review Tasks
      • Complete Privacy Review Tasks
      • Complete Sensitivity Review Tasks
      • Resolve Inactive Workspaces Tasks
      • Resolve Lifecycle Management Tasks
      • Resolve Inactive Guest Users Tasks
      • Resolve Minimum Number of Owners Tasks
      • Resolve Maximum Number of Owners Tasks
      • Resolve Orphaned Workspaces Tasks
      • Resolve Tenant Storage Limit Task
    • Manage Access
      • Manage External Sharing
      • Manage Users
    • Manage Workspaces
      • Request New Workspace
      • Request Workspace Access
      • Manage Workspaces
      • Manage Custom Metadata
    • Reporting
      • Syskit Icons Glossary
      • Inventory Reports
      • Schedule Reports
      • Alerts
      • Cleanup & Health Reports
      • External Sharing Reports
      • Access Reports
Powered by GitBook
On this page
  • Microsoft 365
  • Global Administrator
  • Syskit Point App Permissions
  • Syskit Point Service
  • Syskit Point Client
  • Syskit Point Permissions Loader
  • Syskit Point Power Platform
  • Syskit Point API
  • Related Topics

Was this helpful?

  1. Requirements

Permission Requirements

This article discusses the permission requirements necessary to run Syskit Point successfully.

PreviousRequirementsNextChange Log

Last updated 22 days ago

Was this helpful?

Microsoft 365

When , it is required for you to connect with a Global Administrator account.

Please note! Microsoft 365 Global Admin credentials are only needed when connecting for the first time.

Below, the reasons for such requirements are described in greater detail.

Global Administrator

When for the first time, you must connect with a Global Administrator account.

The first time you connect to your Microsoft 365 tenant, you will be prompted to consent to a set of permissions that Syskit Point requires to function correctly. Additional prompts may appear in the future when installing a newer version of Syskit Point because of new functionality and, consequently, new permissions required.

Syskit Point App Permissions

Please note! Permissions described below are automatically granted to Syskit Point by giving consent during the initial connection process.

To achieve its functionality, Syskit Point is registered as an Enterprise Application in Azure Active Directory. The permissions model is based on OAuth and OpenID Connect flows. This enables Syskit Point to consume all of the APIs provided by Microsoft in a standard and well-defined way. It also allows the use of modern authentication, including Multi-Factor Authentication. Syskit Point requires permissions to access several Microsoft APIs. There are two types of required permissions:

  • Application permissions - define what Syskit Point can do without a signed-in user.

  • Delegated permissions - define what Syskit Point can do in the name of the signed-in user.

The following permissions are required for Syskit Point Installer Enterprise Application:

Microsoft Graph

Permissions
Type
Reason

Read all users' full profiles

Delegated

Allows Syskit Point to read your users' profiles and show you reports based on that data.

Access directory as the signed-in user

Delegated

Allows Syskit Point to access your directory.

Read directory data

Delegated

Allows Syskit Point to autodiscover your sites, groups, and users.

Sign users in

Delegated

Allows Syskit Point to scan your environment as a signed-in user

View users' basic profile

Delegated

Allows Syskit Point Microsoft Teams application to show users basic data and allow secure communication with Syskit Point.

Windows Azure Service Management API

Permissions
Type
Reason

Access Azure Service Management as organization users

Delegated

Allows Syskit Point to create an additional application in your tenant for safer data access.

  • Syskit Point Service

  • Syskit Point Client

  • Syskit Point Permissions Loader

  • Syskit Point API - currently in Beta stage and not being used by default

Syskit Point Service

Microsoft Graph

Permissions
Type
Reason

Read all audit log data

Application

Enables Syskit Point to access data used to determine the time of the last sign-in for guest users.

Read the members of all channels

Application

Allows Syskit Point to collect membership data for private and shared channels.

Read all channel messages

Application

Enables Syskit Point to calculate Teams activity based on the latest channel message date.

Read directory data

Application

Allows Syskit Point to autodiscover your sites, groups, and users.

Read files in all site collections

Application

Enables Syskit Point to perform partial site syncs containing changed files only.

Read and write all groups

Application

Allows Syskit Point to read Microsoft 365 Group data and show you reports based on that data. Additionally, it allows you to manage your groups from Syskit Point.

Read and write all group members

Application

Allows Syskit Point to add members and owners to all types of groups in the access request process after the request is approved.

Read all published labels and label policies for an organization

Application

Enables Syskit Point to sync published sensitivity labels and store them in the database.

Read and write mail in all mailboxes

Application

Allows Syskit Point to send emails as a part of the Access Review, Lifecycle Management, Scheduled Reports, Alerts, and other features.

Send mail as any user

Application

Allows Syskit Point to send emails as a part of the Access Review, Lifecycle Management, Scheduled Reports, Alerts, and other features.

Read all usage reports

Application

Allows Syskit Point to read usage reports generated by Microsoft.

Read and write users' full profiles

Application

Allows Syskit Point to read your users' profiles and show you reports based on that data. Additionally, it allows Syskit Point to automatically remove inactive guest users if defined in the Inactive Guest Users policy.

Read and write all directory RBAC settings

Application

Allows Syskit Point to add members and owners to all types of groups in the access request process after the request is approved.

Microsoft 365 Exchange Online

Permissions
Type
Reason

Manage Exchange as application

Application

Allows Syskit Point to sync distribution lists and email enabled security groups.

Microsoft 365 Management APIs

Permissions
Type
Reason

Read activity data for your organization

Delegated, Application

Allows Syskit Point to read your organization's audit logs.

Read service health information for your organization

Delegated, Application

Allows Syskit Point to read your organization's audit logs.

SharePoint

Permissions
Type
Reason

Have full control on all sites

Application

Allows Syskit Point to read documents and list items in all site collections and show you reports based on that data.

Please note: The Syskit Point Service Principal is also added to the Exchange Administrator; this enables syncing the distribution list and email-enabled security group owners and running management actions for such groups in Syskit Point.

Syskit Point Client

The second app registration, Syskit Point Client, enables users to securely sign in to Syskit Point and perform actions they are entitled to, based on their permissions in Microsoft 365 environment. The following permissions are used:

Microsoft Graph

Permissions
Type
Reason

Add and remove members from channels

Delegated

Enables users to manage private channels in Syskit Point.

Access directory as the signed-in user

Delegated

Allows Syskit Point to access your directory.

Read and write directory data

Delegated

Allows Syskit Point to autodiscover your sites, groups, and users; allows license management actions to be performed.

View users' email address

Delegated

Allows Syskit Point to log users in Microsoft Teams application.

Read and write all groups

Delegated

Allows Syskit Point to read Microsoft 365 Group data and show you reports based on that data. Additionally, it allows you to manage your groups from Syskit Point.

Maintain access to data you have given it access to

Delegated

Allows Syskit Point always to show you the latest data about your environment.

Sign users in

Delegated

Allows Syskit Point to scan your environment as the signed-in user.

Read all users' relevant people lists

Delegated

Allows Syskit Point to display users' relevant people lists in People Picker within Syskit Point Teams app.

Read presence information of all users in your organization

Delegated

Allows Syskit Point Microsoft Teams application to show the status of users.

View users' basic profile

Delegated

Allows Syskit Point Microsoft Teams application to show users basic data and allow secure communication with Syskit Point.

Add and remove members from teams

Delegated

Allows Syskit Point to add newly created users in AAD to Microsoft Teams and private channels.

Send a teamwork activity to any user

Application

Allows Syskit Point Microsoft Teams application to send notifications to users.

Read and write all users' full profiles

Delegated

Allows Syskit Point to read your users' profiles and show you reports based on that data; allows license management actions to be performed.

When using Microsoft Authentication Flow to connect a service account, the following Microsoft Graph permissions are added to the Syskit Point Client app registration:

Permissions
Type
Reason

Read all published labels and label policies for an organization

Delegated

Enables service account to read published sensitivity labels.

Read users' full profiles

Delegated

Allows service account to read your users' profiles.

Microsoft 365 Exchange Online

Permissions
Type
Reason

Manage Exchange configuration

Delegated

Allows Syskit Point users to manage owners and members in distribution lists and email enabled security groups.

SharePoint

Permissions
Type
Reason

Have full control of all site collections

Delegated

Allows you to manage your Site Collections directly from Syskit Point.

Power Platform

By default, the following permissions are not added during the initial connection to your tenant. Permissions are added when Power Apps and Power Automate data collection is enabled.

When Power Apps and Power Automate data collection is configured, new permissions are added to the following app registrations when the Global Administrator provides consent.

App Registration
Permission Name
Reason

Syskit Point Client

PowerAppManagementApp

Allows Syskit Point to access the PowerApps Service API and collect Power Platform resources data.

Syskit Point Power Platform

PowerAppManagementApp

Allows Syskit Point to access the PowerApps Service API and collect Power Platform resources data.

Please note! Added permissions for Power Apps and Power Automate data collection are not visible in the Microsoft Entra interface. To manage the permissions, you can run the related PowerShell cmdlets described in the following articles:

With introduction of Power Platform Actions in Point Cloud v2025.2.88, reconsent is required from the Global Administrator. With reconsent, the following permission is added:

API/Permissions Name
Permission
Type
Reason

PowerApps Service/User

Access the PowerApps Service API

Delegated

Allows you to run Power Platform actions in Syskit Point.

Syskit Point Permissions Loader

Microsoft Graph

Permissions
Type
Reason

Read all audit log data

Application

Enables Syskit Point to access data used to determine the exact time of the last sign-in for guest users.

Read the members of all channels

Application

Allows Syskit Point to collect membership data for private and shared channels.

Read directory data

Application

Allows Syskit Point to autodiscover your sites, groups, and users.

Read files in all site collections

Application

Enables Syskit Point to perform partial site syncs, containing changed files only.

Read and write all groups

Application

Allows Syskit Point to read Microsoft 365 Group data and show you reports based on that data. Additionally, it allows you to manage your groups from Syskit Point.

Read all published labels and label policies for an organization

Application

Enables Syskit Point to sync published sensitivity labels and store them in the database.

Read and write mail in all mailboxes

Application

Allows Syskit Point to send emails as a part of the Access Review, Lifecycle Management, Scheduled Reports, Alerts, and other features.

Send mail as any user

Application

Allows Syskit Point to send emails as a part of the Access Review, Lifecycle Management, Scheduled Reports, Alerts, and other features.

Read all usage reports

Application

Allows Syskit Point to read usage reports generated by Microsoft.

Read and write users' full profiles

Application

Allows Syskit Point to read your users' profiles and show you reports based on that data. Additionally, it allows Syskit Point to automatically remove inactive guest users if defined in the Inactive Guest Users policy.

Microsoft 365 Exchange Online

Permissions
Type
Reason

Manage Exchange as application

Application

Allows Syskit Point to sync distribution lists and email enabled security groups.

Microsoft 365 Management APIs

Permissions
Type
Reason

Read activity data for your organization

Delegated, Application

Allows Syskit Point to read your organization's audit logs.

Read service health information for your organization

Delegated, Application

Allows Syskit Point to read your organization's audit logs.

SharePoint

Permissions
Type
Reason

Have full control on all sites

Application

Allows Syskit Point to read documents and list items in all site collections and show you reports based on that data.

Please note: The Syskit Point Permissions Loader Principal is also added to the Exchange Administrator role; this enables syncing the distribution list and email-enabled security group owners and running management actions for such groups in Syskit Point.

Syskit Point Power Platform

By default, no permissions are added during the initial connection to your tenant. Permissions are added when Power BI or Power Apps and Power Automate data collection is enabled.

Power BI

If Power BI data collection is configured, the following Admin API permissions are given through a specified security group:

  • read-only access to all the information available through Power BI admin APIs; for example, user names and emails, dataset and report detailed metadata

  • read-only access to detailed metadata about Power BI items; for example, responses from GetScanResult APIs will contain the names of dataset tables and columns

Power Apps and Power Automate

When Power Apps and Power Automate data collection is configured, new permissions are added to the following app registrations when the Global Administrator provides consent.

App Registration
Permission Name
Reason

Syskit Point Client

PowerAppManagementApp

Allows Syskit Point to access the PowerApps Service API and collect Power Platform resources data.

Syskit Point Power Platform

PowerAppManagementApp

Allows Syskit Point to access the PowerApps Service API and collect Power Platform resources data.

Please note! Added permissions for Power Apps and Power Automate data collection are not visible in the Microsoft Entra interface. To manage the permissions, you can run the related PowerShell cmdlets described in the following articles:

Syskit Point API

Syskit Point API app registration is used for third-party app integration, meaning you can get Syskit Point data via Syskit Point API and use it in other business applications and web services. This feature is currently in the Beta stage.

By default, the app registration has no permissions added.

Related Topics

To allow safer access to your Microsoft 365 tenant data and optimize the data sync process, additional app registrations are created during the process:

Syskit Point Service app registration is used for , , and sending emails. The following permissions enable Syskit Point to perform these actions:

Syskit Point Permissions Loader app registration is used for optimized for SharePoint and OneDrive data paired with the Syskit Point Service app registration. The following permissions enable Syskit Point to perform these actions:

initial connect
data Sync
audit log collection
Get-PowerAppManagementApp
Remove-PowerAppManagementApp
data Sync
Read the following article to learn how to enable Power BI data collection in Syskit Point.
Get-PowerAppManagementApp
Remove-PowerAppManagementApp
See the following article to learn how to enable Power Apps and Power Automate data collection in Syskit Point.
System Requirements for Data Center
Deploy Syskit Point for Data Center
connecting to your Microsoft 365 tenant
connecting to a Microsoft 365 tenant
Microsoft 365 Global Admin Consent