What kind of permission does Rencore Governance need?

This article shows the permissions that Rencore Governance Needs.

Rencore Governance needs permissions to your Microsoft 365 tenant in order to operate and collect the data of the services that you would like to govern. 

    1. Connect to the tenant

    First, you need to connect to your Microsoft 365 tenant to allow Rencore Governance to retrieve the metadata and the current consent status.

    You can use any ordinary user account with access to the tenant.
    No admin permissions are required. 

    Required permissions

    • User Impersonation (Delegated).

    Connect to Tenant

    You can learn more about the security of Rencore Governance security overview article.

    To get a detailed description of the underlying technical architecture, infrastructure security analysis results from Azure as well as a current application vulnerability assessment report (AVR) generated by a 3rd party (Veracode) please reach out to our sales team. 

    2. Consent

    To allow Rencore Governance to scan your tenant, you need to consent to give it access first.

    The app allows you to consent either globally via a single Azure App, or individually by services in order to delegate the consent to various service administrators. 

    Consent can be given with different accounts than the one used in 1. to connect to the tenant. 

    2.1 Global Consent

    ReGov_Consent_Global-458x783

    2.2 Consent per Service

    ReGov_AddingEnv_2Consent-512x1386

    3. Ask Admin for Consent

    You can request consent to give Rencore Governance access to your tenant from an admin by clicking the link "Ask Admin for consent".

    This will open your default email client with an email template containing an anonymous consent link 

    Hi admin,

    Could you please approve Rencore Governance to analyze 'Rencore Governance' of 'rencore.com'?

    Kindly review the permission requirements and give consent here:
    https://westeurope.app-qa.rencore.com/consent/42024425083/53abe7d0-215f-4564-bd99-d8c7302ad1a3

    Thanks!

    When the link is clicked, the admin will be redirected to a consent dialog. 

    The admin does not gain access to Rencore Governance by giving consent to the service in Microsoft 365.

    Consent links will expire after 5 days. 

    4. Permissions

    In order to access the data in your services, several permissions is needed. You can learn more about Microsoft Graph permissions here.

    Rencore Governance uses several apps to allow global or granular permissions.

    4.1 Rencore Governance Scanner (Global Consent)

    Microsoft Graph

    • Read  All Audit Log Data
      Allows the app to read all audit logs, without a signed-in user.
      Permission Type: Application
    • Read the members of all channels
      Read the members of all channels, without a signed-in user.
      Permission Type: Application
    • Read Files in All Site Collections
      Allows the app to read all files in all site collections without a signed-in user.
      Permission Type: Application
    • Read All Groups
      Allows the app to read memberships for all groups without a signed-in user. Also allows the app to read the calendar, conversations, files, and other group content for all groups.
      Permission Type: Application
    • Read Organization Information
      Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information.
      Permission Type: Application
    • Read All Usage Reports
      Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory.
      Permission Type: Application
    • Read Items in All Site Collections (preview)
      Allows the app to read documents and list items in all site collections without a signed-in user.
      Permission Type: Application
    • Read the Members of All Teams
      Read the members of all teams, without a signed-in user.
      Permission Type: Application
    • Read All User's Full Profiles
      Allows the app to read the full set of profile properties, group membership, reports, and managers of other users in your organization, without a signed-in user.
      Permission Type: Application

    Office 365 Management API's

    SharePoint

    Consent will allow Rencore Governance to monitor the following data:
    Users
    Groups
    Group Owners
    Group Members
    Products
    User Products
    Apps
    User apps
    Teams
    Teams Channels
    Teams Owners
    Channel Members
    Teams Members
    Teams Custom Apps
    Teams Tabs
    Teams Messages
    Teams Apps
    Teams Audit Log Events
    Teams SharePoint Sites
    Flow Environments
    Flows
    Flow Owners
    Flow Users
    Flow Triggers
    Flow Actions
    Flow Connections
    Flow Runs
    SharePoint Site Collections
    SharePoint Sites
    SharePoint Files
    SharePoint File Sharings
    OneDrives
    OneDrive File Sharings

    4.2 Rencore Governance for Power Platform (Global Consent)

    Azure Service Management

    Flow Service

    4.3 Rencore Governance for Office 365

    Microsoft Graph

    • Read All Groups
      Allows the app to read memberships for all groups without a signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups.
      Permission Type: Application
    • Read Organization Information
      Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information.
      Permission Type: Application
    • Read All User's Full Profiles
      Allows the app to read the full set of profile properties, group membership, reports, and managers of other users in your organization, without a signed-in user.
      Permission Type: Application
    Consent will allow Rencore Governance to monitor the following data:
    Users
    Groups
    Group Owners
    Group Members
    Products
    User Products
    Apps
    User apps
    Teams
    Teams Channels
    Teams Owners
    Teams Members
    Teams Custom Apps
    Teams Tabs
    Teams Messages
    Teams Apps
    Teams Audit Log Events
    Teams SharePoint Sites
    Flow Environments
    Flows
    Flow Owners
    Flow Users
    Flow Triggers
    Flow Actions
    Flow Connections
    Flow Runs
    OneDrive Files

    4.4 Rencore Governance for Teams

    Microsoft Graph

    • Read all Channel Messages
      Allows the app to read all channel messages in Microsoft Teams, without a signed-in user.
      Permission Type: Application
    • Read All Groups
      Allows the app to read memberships for all groups without a signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups. Permission Type:  Application
    • Read all Team Members
      Allows an app to read a channel's messages in Microsoft Teams, on behalf of the signed-in user.
      Permission Type: Application
    Consent will allow Rencore Governance to monitor the following data:
    Channel Members
    Teams Messages

    4.5 Rencore Governance for SharePoint

    Microsoft Graph

    SharePoint

    Consent will allow Rencore Governance to monitor the following data:
    SharePoint Site Collections
    SharePoint Sites
    SharePoint Files

    4.6 Rencore Governance for OneDrive

    Microsoft Graph

    • Read Files in All Site Collections
      Allows the app to read all files in all site collections without a signed-in user.
      Permission Type: Application
    • Read All User's Full Profiles
      Allows the app to read the full set of profile properties, group membership, reports, and managers of other users in your organization, without a signed-in user.
      Permission Type: Application
    OneDrives
    OneDrive File Sharings

    4.7 Rencore Governance for Power Platform

    Azure Service Management

    Flow Service

    4.8 Rencore Governance for M365 Audit

    Microsoft Graph

    • Read  All Audit Log Data
      Allows the app to read all audit logs, without a signed-in user.
      Permission Type: Application
    • Read All Usage Reports
      Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory.
      Permission Type: Application
    • Read All User's Full Profiles
      Allows the app to read the full set of profile properties, group membership, reports, and managers of other users in your organization, without a signed-in user.
      Permission Type: Application

    Office 365 Management API