Describe why Sites.FullControl.All permission is required for SharePoint to alleviate security concerns

[Somu76]

💡 Summary

In reviewing the permissions required for ScubaGear, I am seeing that it is requiring Sites.FullControl.All from SharePoint, while using Read permissions for almost all other entities. This being a pretty high permission level, and it not being explained, I feel is a missed opportunity to assuage the concerns of some security teams.

Motivation and context

This would be useful because...
Given that this is a project that is looking for settings like these to identify places where more permissions are given when not needed, it would help us get a better understanding if we know why.

(if this is already explained somewhere in the docs, I apologize for the repeat request and would appreciate the pointer to it).

Implementation notes

Please provide details for implementation, such as:

• an example for how this would be used
• what this would look like
• how this would act
• any related work, including links to related issues

Acceptance criteria

How do we know when this work is done?

• Criterion

[buidav]

@Somu76 Hello, thanks for opening an issue for your question.

Sites.FullControl.All is a high permission and includes write permissions to your SharePoint admin center security configurations. This is not something that is documented or easily searchable elsewhere online so I'll make this an item to add to our FAQ.

---

To answer your question.

Short answer

Through our testing, Sites.FullControl.All is unfortunately the minimum required API permission needed for ScubaGear to non-interactively authenticate with an Entra ID application and call the SharePoint APIs to perform it's checks.

The ScubaGear tool itself does not make ANY writes to your tenant configurations with the elevated permissions.

Note:
There was a change just this week (2/3/2025 for posterity) where 'only' Global Reader is required for ScubaGear interactive auth assessment instead of SharePoint admin. I'll be updating the documentation shortly to reflect that.

---

Long answer

Below is a recreation of the brute force experiments done to find the minimum required permissions for ScubaGear to call the SharePoint APIs to retrieve SharePoint admin center configurations.

The two images below are of me assignment an Entra ID application service principal both ALL possible SharePoint API permissions except Sites.FullControl.All and the Global Reader role .

The next images are the errors ScubaGear displays when running an assessment with the permissions and role assigned to the application above.

---

The next image is of me assigning a completely separate Entra ID Application Sites.FullControl.All and Organization.Read.All (This the minimum MS Graph API permission used to retrieve the SharePoint admin domain of the tenant being assessed by ScubaGear).

This next image is showing that the authentication/authorization was successful using the application above and ScubaGear was able to request and assess the SharePoint admin center configurations.

Let us know if you have any other questions.

[Somu76]

Thanks much for the detailed explanation and adding it to the documentation. I see PNP being used from your screenshot and I had the same experience with it and understand the need for the permissions now.