You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In reviewing the permissions required for ScubaGear, I am seeing that it is requiring Sites.FullControl.All from SharePoint, while using Read permissions for almost all other entities. This being a pretty high permission level, and it not being explained, I feel is a missed opportunity to assuage the concerns of some security teams.
Motivation and context
This would be useful because...
Given that this is a project that is looking for settings like these to identify places where more permissions are given when not needed, it would help us get a better understanding if we know why.
(if this is already explained somewhere in the docs, I apologize for the repeat request and would appreciate the pointer to it).
Implementation notes
Please provide details for implementation, such as:
an example for how this would be used
what this would look like
how this would act
any related work, including links to related issues
Acceptance criteria
How do we know when this work is done?
Criterion
The text was updated successfully, but these errors were encountered:
@Somu76 Hello, thanks for opening an issue for your question.
Sites.FullControl.All is a high permission and includes write permissions to your SharePoint admin center security configurations. This is not something that is documented or easily searchable elsewhere online so I'll make this an item to add to our FAQ.
To answer your question.
Short answer
Through our testing, Sites.FullControl.All is unfortunately the minimum required API permission needed for ScubaGear to non-interactively authenticate with an Entra ID application and call the SharePoint APIs to perform it's checks.
The ScubaGear tool itself does not make ANY writes to your tenant configurations with the elevated permissions.
Note:
There was a change just this week (2/3/2025 for posterity) where 'only' Global Reader is required for ScubaGear interactive auth assessment instead of SharePoint admin. I'll be updating the documentation shortly to reflect that.
Long answer
Below is a recreation of the brute force experiments done to find the minimum required permissions for ScubaGear to call the SharePoint APIs to retrieve SharePoint admin center configurations.
The two images below are of me assignment an Entra ID application service principal both ALL possible SharePoint API permissions except Sites.FullControl.All and the Global Reader role .
The next images are the errors ScubaGear displays when running an assessment with the permissions and role assigned to the application above.
The next image is of me assigning a completely separate Entra ID Application Sites.FullControl.All and Organization.Read.All (This the minimum MS Graph API permission used to retrieve the SharePoint admin domain of the tenant being assessed by ScubaGear).
This next image is showing that the authentication/authorization was successful using the application above and ScubaGear was able to request and assess the SharePoint admin center configurations.
Thanks much for the detailed explanation and adding it to the documentation. I see PNP being used from your screenshot and I had the same experience with it and understand the need for the permissions now.
💡 Summary
In reviewing the permissions required for ScubaGear, I am seeing that it is requiring Sites.FullControl.All from SharePoint, while using Read permissions for almost all other entities. This being a pretty high permission level, and it not being explained, I feel is a missed opportunity to assuage the concerns of some security teams.
Motivation and context
This would be useful because...
Given that this is a project that is looking for settings like these to identify places where more permissions are given when not needed, it would help us get a better understanding if we know why.
(if this is already explained somewhere in the docs, I apologize for the repeat request and would appreciate the pointer to it).
Implementation notes
Please provide details for implementation, such as:
Acceptance criteria
How do we know when this work is done?
The text was updated successfully, but these errors were encountered: