Update March 8th: Changes to Permissions

Changes to permissions will require a renewal of consent.

Important update for Rencore Governance

We listened to your feedback regarding the current permissions set up - a mixture of delegated and application permissions * - and will be implementing a change on Monday, March 8, 2021. No action is required on your part until then.

Coming next week, the consent process for connecting your tenant to Rencore Governance will use application permissions wherever possible.

With this change, you will see the following improvements:

  • Fewer permissions needed: For anything SharePoint related, for example, we will only require read access as opposed to full control access
  • Collecting sensitive data is now optional: sensitive data coming from Audit logs can now be excluded (e.g., Last Login Date for O365 Users)

For some services, namely Power Automate, application permissions are not available yet. In such cases, we have to continue using delegated permissions. As soon as application permission are available, however, we will make the switch there too.

On Monday, March 8, 2021, you will need to re-consent and give Rencore Governance access to the services you would like to govern with us. It’s a simple and quick process. I will provide more detailed instructions on Monday, March 8th.

If you have any questions or need anything in the meantime, please don’t hesitate to reach out.

* What’s the difference between application and delegated permissions?

  • Application permissions allow an application in Azure Active Directory to act as its own entity, rather than on behalf of a specific user
    • Admin or technical account no longer required for scanning
  • Delegated permissions allow an application in Azure Active Directory to perform actions on behalf of a particular user
    • In case of incorrect or missing permissions of the user who consented, the scan fails.
    • In case of temporary admin permissions (e.g. because of PIM), scans fail once permissions are revoked