Do you have a need to integrate ServiceNow with Microsoft SharePoint?
Let's dive into the Microsoft SharePoint Online Spoke to understand more about what it can do for your project!
Scenario:
You've found the Microsoft SharePoint Online Spoke and are excited about using it for your SharePoint integration needs, but your security team is not allowing you to use it because you are asking for the "Sites.FullControl.All" permission to setup the Spoke. Fear not and read on!
Just like all our Spokes, we have a dedicated "Setup the Spoke" page for this spoke as well. Take a look at our documentation and you will find everything you need to setup this Spoke.
The Configure Microsoft SharePoint Graph connection page asks you to setup the "Sites.Read.All and Sites.ReadWrite.All" Microsoft permissions and this is a big red flag for you!!
Our Spoke has close to 70 actions, involving varied operations related to site management, folder management, file management, user management, group management, list management, list item management, and change management; Hence, our documentation states to use Sites.FullControl.All for the tenant so that all of these actions are possible for any automation use cases using Flow Designer.
However, if you are interested in a limited set of operations – limited permissions can help you achieve those. For example, you might want to automate everything within a given single SharePoint site or a given SharePoint site collection OR you might just want read access – but to all the sites within a tenant. Creating an application with required limited privileges will enable you to achieve your limited use cases.
A given Spoke Action maps to either a REST API endpoint or a GRAPH API endpoint that Microsoft SharePoint exposes for integrations and the permissions required for those actions is driven by the Microsoft permissions required for those endpoints.
If you want to create an application that connects the Microsoft SharePoint Online Spoke with a limited privilege for a given Site Collection, follow the steps below:
(1) Follow the instructions given in Configure Microsoft SharePoint Online application and in the step 3(k) instead of Sites.FullControl.All choose Sites.Selected. Continue with the rest of the steps to set up the default Connection & Credential Alias for the Spoke. Now you have configured the Spoke with an application which has limited sites access and not access to all sites.
(2) Using any REST Client application, follow the instructions given on https://learn.microsoft.com/en-gb/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http#:~:t... which allows you to grant required permissions to the application – but only for a SiteCollection. The required permissions will depend on the use case you want to accomplish, it could be FullControl, Read, Write, or Manage. For example, if you want to perform only listing automations, then Read permissions can suffice. If you want to perform create, upload or update automations, then Write permissions will be required. And so on....
If your use case needs you to use Upload File and Create Folder actions, you will need to give Write permissions at the minimum for a given SiteCollection.
You can cross check the permissions assigned to the application using https://learn.microsoft.com/en-gb/graph/api/site-get-permission?view=graph-rest-1.0&tabs=http endpoint.
Note: The above APIs require you to send sitesId in the path parameter, which you can retrieve using the https://learn.microsoft.com/en-gb/graph/api/site-list?view=graph-rest-1.0&tabs=http endpoint.
Contact your Microsoft SharePoint Administrator for more details on how to setup an application as noted above.
PS: All of the actions to be performed in this step (2) are to be done on the REST Client as there no user interface available yet to perform these at the Microsoft side ... (yet!!).
(3) Try/Test your required use case related actions in Flow Designer.
Happy Integrating!
*This article is Co-Authored by @Manish Kothari and @Joe Wilmoth
7 Comments
