Major Security Incident Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
Major Security Incident Management:
We are currently implementing Major Security Incident Management (MSIM) for a customer in the energy sector and are looking for guidance from others who have gone through the SharePoint integration setup — specifically around a permission requirement that is raising valid regulatory and security concerns.
Background:
As part of the MSIM SharePoint integration setup, configuring MS SharePoint with Major Security Incident Management requires that the registered Azure App Registration be temporarily granted Sites.FullControl.All at the Microsoft Graph API Permissions level in the Azure console. This elevated permission is required to execute the site-level access grant (via Curl, Azure CLI, or PowerShell) that gives the MSIM application WRITE access to the specific SharePoint document library used for incident file storage. Once the connection is validated in ServiceNow, Sites.FullControl.All is removed — leaving only Sites.Selected and the site-level write permission in place for ongoing operations. Sites.Selected is identified within the MSIM Quick Start Guide, but it is outdated yet still attached to the Store and Now Create. Without this permission, access/setup of SharePoint cannot occur.
The Customer Concern:
Our customer operates in a regulated industry (energy sector) and has raised concerns about granting Sites.FullControl.All — even temporarily. Their primary concerns are:
1. Regulatory compliance — even a brief grant of a tenant-wide elevated permission may need to be logged, reviewed, or approved through their change management process
2. Audit trail — the temporary grant and removal of Sites.FullControl.All needs to be documented and defensible to their security and compliance teams
3. Risk of exposure — during the window that Sites.FullControl.All is active, the application technically has access to all SharePoint sites across the tenant, not just the MSIM site
What We Are Looking For:
We would love to hear if experiencing similar from other ServiceNow customers or partners — particularly those in regulated industries such as energy, financial services, healthcare, or government — who have faced similar concerns when setting up the MSIM SharePoint integration. Specifically:
1. How did you handle the regulatory or compliance review process for the temporary Sites.FullControl.All grant?
2. Did your security or compliance team require any special approvals, documentation, or compensating controls?
3. Were there any alternative approaches used to avoid or minimize the Sites.FullControl.All requirement?
4. If you are in a regulated industry, did this create any audit findings or required remediation?
5. How did you document the grant and removal process for your audit trail?
Any guidance, lessons learned, or alternative approaches from those who have navigated this would be greatly appreciated.
Thank you in advance for your input.
Latest ServiceNow documentation....https://www.servicenow.com/docs/r/security-management/security-incident-response/config-sharepoint-…
Best regards
- Labels:
-
Security Operations
