This article discusses permission requirements that are necessary to successfully install and use SysKit Point.

Permission Requirements

Depending on where you are deploying SysKit Point - Cloud or on-premises - various permissions are needed to install and configure SysKit Point successfully. All information on this topic is available in multiple articles grouped by deployment type. Here, a quick overview of said articles is given, as well as the description of permissions required regardless of the deployment type.

Cloud

When deploying SysKit Point to Cloud, use the following articles to prepare your Azure environment for installation and configuration of SysKit Point:

Click the appropriate link to learn more about the requirements for each of the mentioned resources.

On-Premises

When deploying SysKit Point on-premises, you can find all information in the following articles:

Click the appropriate link to learn more about the requirements for each of the mentioned resources.

Microsoft 365

No matter the deployment type, when configuring SysKit Point, it is required for you to connect to Microsoft 365 with a Global Administrator account.

Please note!
Microsoft 365 Global Admin credentials are only needed when configuring SysKit Point for the first time.

Below, reasons for such requirements are described in greater detail.

Global Administrator

When connecting to a Microsoft 365 tenant during the configuration process, you need to connect with a Global Administrator account.

The first time you connect to your Microsoft 365 tenant, you will be prompted to consent to a set of permissions that SysKit Point requires to function correctly. Additional prompts may show up in the future when installing a newer version of SysKit Point because of new functionality, and in consequence, potentially new required permissions.

Microsoft 365 Global Admin Consent

SysKit Point App Permissions

Please note!
Permissions described below are automatically granted to SysKit Point by giving consent during the configuration process.

To achieve its functionality, SysKit Point is registered as an Enterprise Application in Azure Active Directory. The permissions model is based on OAuth, and OpenID Connect flows. This enables us to consume all of the APIs provided by Microsoft in a standard and well-defined way. It also allows us to use modern authentication, including Multi-Factor Authentication.
SysKit Point requires permissions to access several Microsoft APIs. There are two types of required permissions:

  • Application permissions - define what SysKit Point can do without a signed-in user.
  • Delegated permissions - define what SysKit Point can do in the name of the signed-in user.

The following permissions are required for SysKit Point Enterprise Application:

Microsoft Graph

Permissions Type Reason
Maintain access to data you have given it access to Delegated Allows SysKit Point to always show you the latest data about your environment.
Sign users in Delegated Allows SysKit Point to scan your environment as a signed-in user
Read all users' full profiles Delegated Allows SysKit Point to read your users' profiles and show you reports based on that data.
Access directory as the signed-in user Delegated Allows SysKit Point to access your directory.
Read directory data Delegated Allows SysKit Point to autodiscover your sites, groups, and users.
Read and write all groups Delegated Allows SysKit Point to read Microsoft 365 Group data and show you reports based on that data. Additionally, allows you to manage your groups from SysKit Point.
Read items in all site collections Delegated Allows SysKit Point to read documents and list items in all site collections and show you reports based on that data.
Read all usage reports Delegated Allows SysKit Point to read usage reports generated by Microsoft.
Send mail as a user Delegated Allows SysKit Point to send emails as a part of the Permissions Review, Lifecycle Management, Scheduled Reports, and Alerts features.
Microsoft 365 SharePoint Online
Permissions Type Reason
Have full control of all site collections Delegated Allows you to manage your Site Collections directly from SysKit Point.
Teams and Skype for Business Administration
Permissions Type Reason
Have full access to the Skype Remote PowerShell Azure services Delegated Allows SysKit Point to gather additional data about your Microsoft Teams.
Windows Azure Service Management API
Permissions Type Reason
Access Azure Service Management as organization users Delegated Allows SysKit Point to create an additional application in your tenant for safer data access.

To allow safer access to your Microsoft 365 tenant data and to use Microsoft Authentication for signing in your users to SysKit Point, two additional app registrations are created:

  • SysKit Point Service
  • SysKit Point Client
SysKit Point Service

SysKit Point Service app registration is used for data Sync, audit log collection, and sending emails. The following permissions enable SysKit Point to perform these actions:

Microsoft Graph
Permissions Type Reason
Read directory data Application Allows SysKit Point to autodiscover your sites, groups, and users.
Read and write all groups Application Allows SysKit Point to read Microsoft 365 Group data and show you reports based on that data. Additionally, allows you to manage your groups from SysKit Point.
Read all usage reports Application Allows SysKit Point to read usage reports generated by Microsoft.
Read all users' full profiles Application Allows SysKit Point to read your users' profiles and show you reports based on that data.
Microsoft 365 Exchange Online
Permissions Type Reason
Send mail as any user Application Allows SysKit Point to send emails as a part of the Permissions Review, Lifecycle Management, Scheduled Reports, and Alerts features.
Microsoft 365 Management APIs
Permissions Type Reason
Read activity data for your organization Delegated, Application Allows SysKit Point to read your organization's audit logs.
Read service health information for your organization Delegated, Application Allows SysKit Point to read your organization's audit logs.
SharePoint
Permissions Type Reason
Have full control on all sites Application Allows SysKit Point to read documents and list items in all site collections and show you reports based on that data.
SysKit Point Client

The second app registration, SysKit Point Client, enables users to securely log in to SysKit Point and perform actions they are entitled to do, based on their permissions in Microsoft 365 environment. The following permissions are used:

Microsoft Graph

Permissions Type Reason
Maintain access to data you have given it access to Delegated Allows SysKit Point to always show you the latest data about your environment.
Sign users in Delegated Allows SysKit Point to scan your environment as the signed-in user.
Read and write all users' full profiles Delegated Allows SysKit Point to read your users' profiles and show you reports based on that data; allows license management actions to be performed.
Access directory as the signed-in user Delegated Allows SysKit Point to access your directory.
Read and write directory data Delegated Allows SysKit Point to autodiscover your sites, groups, and users; allows license management actions to be performed.
Read and write all groups Delegated Allows SysKit Point to read Microsoft 365 Group data and show you reports based on that data. Additionally, allows you to manage your groups from SysKit Point.
SharePoint
Permissions Type Reason
Have full control of all site collections Delegated Allows you to manage your Site Collections directly from SysKit Point.

Related Topics