Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Describe why Sites.FullControl.All permission is required for SharePoint to alleviate security concerns #1555

Closed
1 task
Somu76 opened this issue Feb 6, 2025 · 2 comments · Fixed by #1557
Closed
1 task
Assignees
Labels
public-reported This issue is reported by the public users of the tool.

Comments

@Somu76
Copy link

Somu76 commented Feb 6, 2025

💡 Summary

In reviewing the permissions required for ScubaGear, I am seeing that it is requiring Sites.FullControl.All from SharePoint, while using Read permissions for almost all other entities. This being a pretty high permission level, and it not being explained, I feel is a missed opportunity to assuage the concerns of some security teams.

Motivation and context

This would be useful because...
Given that this is a project that is looking for settings like these to identify places where more permissions are given when not needed, it would help us get a better understanding if we know why.

(if this is already explained somewhere in the docs, I apologize for the repeat request and would appreciate the pointer to it).

Implementation notes

Please provide details for implementation, such as:

  • an example for how this would be used
  • what this would look like
  • how this would act
  • any related work, including links to related issues

Acceptance criteria

How do we know when this work is done?

  • Criterion
@buidav buidav added the public-reported This issue is reported by the public users of the tool. label Feb 6, 2025
@buidav buidav self-assigned this Feb 6, 2025
@buidav
Copy link
Collaborator

buidav commented Feb 6, 2025

@Somu76 Hello, thanks for opening an issue for your question.

Sites.FullControl.All is a high permission and includes write permissions to your SharePoint admin center security configurations. This is not something that is documented or easily searchable elsewhere online so I'll make this an item to add to our FAQ.


To answer your question.

Short answer

Through our testing, Sites.FullControl.All is unfortunately the minimum required API permission needed for ScubaGear to non-interactively authenticate with an Entra ID application and call the SharePoint APIs to perform it's checks.

The ScubaGear tool itself does not make ANY writes to your tenant configurations with the elevated permissions.

Note:
There was a change just this week (2/3/2025 for posterity) where 'only' Global Reader is required for ScubaGear interactive auth assessment instead of SharePoint admin. I'll be updating the documentation shortly to reflect that.


Long answer

Below is a recreation of the brute force experiments done to find the minimum required permissions for ScubaGear to call the SharePoint APIs to retrieve SharePoint admin center configurations.

The two images below are of me assignment an Entra ID application service principal both ALL possible SharePoint API permissions except Sites.FullControl.All and the Global Reader role .

Image

Image

The next images are the errors ScubaGear displays when running an assessment with the permissions and role assigned to the application above.

Image

Image


The next image is of me assigning a completely separate Entra ID Application Sites.FullControl.All and Organization.Read.All (This the minimum MS Graph API permission used to retrieve the SharePoint admin domain of the tenant being assessed by ScubaGear).

Image

This next image is showing that the authentication/authorization was successful using the application above and ScubaGear was able to request and assess the SharePoint admin center configurations.

Image

Let us know if you have any other questions.

@Somu76
Copy link
Author

Somu76 commented Feb 7, 2025

Thanks much for the detailed explanation and adding it to the documentation. I see PNP being used from your screenshot and I had the same experience with it and understand the need for the permissions now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
public-reported This issue is reported by the public users of the tool.
Projects
None yet
2 participants