This article discusses permission requirements that are necessary to successfully install and use SysKit Point.
Permission Requirements
Depending on where you are deploying SysKit Point - Cloud or on-premises - various permissions are needed to install and configure SysKit Point successfully. All information on this topic is available in multiple articles grouped by deployment type. Here, a quick overview of said articles is given, as well as the description of permissions required regardless of the deployment type.
Cloud
When deploying SysKit Point to Cloud, use the following articles to prepare your Azure environment for installation and configuration of SysKit Point:
Click the appropriate link to learn more about the requirements for each of the mentioned resources.
On-Premises
When deploying SysKit Point on-premises, you can find all information in the following articles:
Click the appropriate link to learn more about the requirements for each of the mentioned resources.
Microsoft 365
No matter the deployment type, when configuring SysKit Point, it is required for you to connect to Microsoft 365 with a Global Administrator account.
Microsoft 365 Global Admin credentials are only needed when configuring SysKit Point for the first time.
Below, reasons for such requirements are described in greater detail.
Global Administrator
When connecting to a Microsoft 365 tenant during the configuration process, you need to connect with a Global Administrator account.
The first time you connect to your Microsoft 365 tenant, you will be prompted to consent to a set of permissions that SysKit Point requires to function correctly. Additional prompts may show up in the future when installing a newer version of SysKit Point because of new functionality, and in consequence, potentially new required permissions.
SysKit Point App Permissions
Permissions described below are automatically granted to SysKit Point by giving consent during the configuration process.
To achieve its functionality, SysKit Point is registered as an Enterprise Application in Azure Active Directory. The permissions model is based on OAuth, and OpenID Connect flows. This enables us to consume all of the APIs provided by Microsoft in a standard and well-defined way. It also allows us to use modern authentication, including Multi-Factor Authentication.
SysKit Point requires permissions to access several Microsoft APIs. There are two types of required permissions:
- Application permissions - define what SysKit Point can do without a signed-in user.
- Delegated permissions - define what SysKit Point can do in the name of the signed-in user.
The following permissions are required for SysKit Point Enterprise Application:
Microsoft Graph
| Permissions | Type | Reason |
|---|---|---|
| Maintain access to data you have given it access to | Delegated | Allows SysKit Point to always show you the latest data about your environment. |
| Sign users in | Delegated | Allows SysKit Point to scan your environment as a signed-in user |
| Read all users' full profiles | Delegated | Allows SysKit Point to read your users' profiles and show you reports based on that data. |
| Access directory as the signed-in user | Delegated | Allows SysKit Point to access your directory. |
| Read directory data | Delegated | Allows SysKit Point to autodiscover your sites, groups, and users. |
| Read and write all groups | Delegated | Allows SysKit Point to read Microsoft 365 Group data and show you reports based on that data. Additionally, allows you to manage your groups from SysKit Point. |
| Read items in all site collections | Delegated | Allows SysKit Point to read documents and list items in all site collections and show you reports based on that data. |
| Read all usage reports | Delegated | Allows SysKit Point to read usage reports generated by Microsoft. |
| Send mail as a user | Delegated | Allows SysKit Point to send emails as a part of the Permissions Review, Lifecycle Management, Scheduled Reports, and Alerts features. |
Microsoft 365 SharePoint Online
| Permissions | Type | Reason |
|---|---|---|
| Have full control of all site collections | Delegated | Allows you to manage your Site Collections directly from SysKit Point. |
Teams and Skype for Business Administration
| Permissions | Type | Reason |
|---|---|---|
| Have full access to the Skype Remote PowerShell Azure services | Delegated | Allows SysKit Point to gather additional data about your Microsoft Teams. |
Windows Azure Service Management API
| Permissions | Type | Reason |
|---|---|---|
| Access Azure Service Management as organization users | Delegated | Allows SysKit Point to create an additional application in your tenant for safer data access. |
To allow safer access to your Microsoft 365 tenant data and to use Microsoft Authentication for signing in your users to SysKit Point, two additional app registrations are created:
- SysKit Point Service
- SysKit Point Client
SysKit Point Service
SysKit Point Service app registration is used for data Sync, audit log collection, and sending emails. The following permissions enable SysKit Point to perform these actions:
Microsoft Graph
| Permissions | Type | Reason |
|---|---|---|
| Read directory data | Application | Allows SysKit Point to autodiscover your sites, groups, and users. |
| Read and write all groups | Application | Allows SysKit Point to read Microsoft 365 Group data and show you reports based on that data. Additionally, allows you to manage your groups from SysKit Point. |
| Read all usage reports | Application | Allows SysKit Point to read usage reports generated by Microsoft. |
| Read all users' full profiles | Application | Allows SysKit Point to read your users' profiles and show you reports based on that data. |
Microsoft 365 Exchange Online
| Permissions | Type | Reason |
|---|---|---|
| Send mail as any user | Application | Allows SysKit Point to send emails as a part of the Permissions Review, Lifecycle Management, Scheduled Reports, and Alerts features. |
Microsoft 365 Management APIs
| Permissions | Type | Reason |
|---|---|---|
| Read activity data for your organization | Delegated, Application | Allows SysKit Point to read your organization's audit logs. |
| Read service health information for your organization | Delegated, Application | Allows SysKit Point to read your organization's audit logs. |
SharePoint
| Permissions | Type | Reason |
|---|---|---|
| Have full control on all sites | Application | Allows SysKit Point to read documents and list items in all site collections and show you reports based on that data. |
SysKit Point Client
The second app registration, SysKit Point Client, enables users to securely log in to SysKit Point and perform actions they are entitled to do, based on their permissions in Microsoft 365 environment. The following permissions are used:
Microsoft Graph
| Permissions | Type | Reason |
|---|---|---|
| Maintain access to data you have given it access to | Delegated | Allows SysKit Point to always show you the latest data about your environment. |
| Sign users in | Delegated | Allows SysKit Point to scan your environment as the signed-in user. |
| Read and write all users' full profiles | Delegated | Allows SysKit Point to read your users' profiles and show you reports based on that data; allows license management actions to be performed. |
| Access directory as the signed-in user | Delegated | Allows SysKit Point to access your directory. |
| Read and write directory data | Delegated | Allows SysKit Point to autodiscover your sites, groups, and users; allows license management actions to be performed. |
| Read and write all groups | Delegated | Allows SysKit Point to read Microsoft 365 Group data and show you reports based on that data. Additionally, allows you to manage your groups from SysKit Point. |
SharePoint
| Permissions | Type | Reason |
|---|---|---|
| Have full control of all site collections | Delegated | Allows you to manage your Site Collections directly from SysKit Point. |