FAQ
      Back to home
      1. Knowledge Base
      2. Rencore Governance
      3. FAQ

      What kind of permission does Rencore Governance need?

      This article shows the permissions that Rencore Governance Needs.

      Rencore Governance needs permissions to your Microsoft 365 tenant in order to operate and collect the data of the services that you would like to govern. 

      1. Connect to the tenant

      First you need to connect to your Microsoft 365 tenant to allow Rencore Governance to retrieve the metadata and the current consent status.

      You can use any ordinary user account with access to the tenant.
      No admin permissions are required. 

      Required permissions

      • User Impersonation (Delegated).

      Connect to Tenant

      You can learn more about security of Rencore Governance  security overview article.

      To get a detailled description of the underlying technical architecture, infrastructure security analysis results from Azure as well as a current application vulnerability assessment report (AVR) generated by a 3rd party (Veracode) please reach out to our sales team. 

      2. Consent

      To allow Rencore Governance to scan your tenant, you need to consent giving it access first.

      The app allows you to consent either globally via a single Azure App, or individually by services in order to delegate the consent to various service administrators. 

      Consent can be given with different accounts than the one used in 1. to connect to the tenant. 

      2.1 Global Consent

      Give global consent

      2.2 Consent per Service

      Give consent per service

      3. Ask Admin for Consent

      You can request consent to give Rencore Governance access to your tenant from an admin by clicking the link "Ask Admin for consent".

      This will open your default email client with an email template containing a anonymous consent link 

      Hi admin,

      Could you please approve Rencore Governance to analyze 'Rencore Governance' of 'rencore.com'?

      Kindly review the permission requirements and give consent here:
      https://westeurope.app-qa.rencore.com/consent/42024425083/53abe7d0-215f-4564-bd99-d8c7302ad1a3

      Thanks!

      When the link is clicked, the admin will be redirected to a consent dialog. 

      The admin does not gain access to Rencore Governance by giving consent to the service in Microsoft 365.

      Consent links will expire after 5 days. 

      4. Permissions

      In order to access the data in your services several permission are needed. You can learn more about Microsoft Graph permissions here.

      Rencore Governance uses several apps to allow global or granular permissions.

      4.1 Rencore Governance Scanner (Global Consent)

      • Read file data
        Allows the app to read data in your organization's file.
      • Read all groups
        Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.
      • Read all groups
        Allows the app to read memberships for all groups without a signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups.
       
      Consent will allow Rencore Governance to monitor the following data:
      Users
      Groups
      Group Owners
      Group Members
      Products
      User Products
      Apps
      User apps
      Teams
      Teams Channels
      Teams Owners
      Channel Members
      Teams Members
      Teams Custom Apps
      Teams Tabs
      Teams Messages
      Teams Apps
      Teams Audit Log Events
      Teams SharePoint Sites
      Flow Environments
      Flows
      Flow Owners
      Flow Users
      Flow Triggers
      Flow Actions
      Flow Connections
      Flow Runs
      SharePoint Site Collections
      SharePoint Sites
      SharePoint Files
      SharePoint File Sharings
      OneDrives
      OneDrive File Sharings

      4.2 Rencore Governance for Office 365

      • Read all groups
        Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.
      Consent will allow Rencore Governance to monitor the following data:
      Users
      Groups
      Group Owners
      Group Members
      Products
      User Products
      Apps
      User apps
      Teams
      Teams Channels
      Teams Owners
      Teams Members
      Teams Custom Apps
      Teams Tabs
      Teams Messages
      Teams Apps
      Teams Audit Log Events
      Teams SharePoint Sites
      Flow Environments
      Flows
      Flow Owners
      Flow Users
      Flow Triggers
      Flow Actions
      Flow Connections
      Flow Runs
      OneDrive Files

      4.3 Rencore Governance for Teams

      • Read all groups
        Allows the app to read memberships for all groups without a signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups. 
      Consent will allow Rencore Governance to monitor the following data:
      Channel Members
      Teams Messages

      4.4 Rencore Governance for SharePoint (Read Only)

      Consent will allow Rencore Governance to monitor the following data:
      SharePoint Site Collections
      SharePoint Sites
      SharePoint Files

      4.5 Rencore Governance for SharePoint (Full access)

      Consent will allow Rencore Governance to monitor the following data:
      SharePoint Site Collections
      SharePoint Sites
      SharePoint Files
      SharePoint File Sharings

      4.6. Rencore Governance for OneDrive

      Read file data
      Allows the app to read data in your organization's file.
      OneDrives
      OneDrive File Sharings