Scope | Purpose | Notes / Workarounds (if needed) |
---|---|---|
User.Read.All | List all the users within the directory (used for permissions) | |
Sites.FullControl.All | Retrieve sites, metadata, and associated content from the item for the index. FullControl is required to scan permission hierarchies. | Customers can consider Sites.Selected. This allows customers to manually provision certain SharePoint sites to have Graph API + REST API access. |
Files.Read.All | Retrieve items, metadata, and associated content from the item for the index. | If Sites.Selected is used, this should not be needed. |
GroupMember.Read.All | Get the members of a group (used for permissions) | |
Reports.Read.All | Used for logging site usage metrics for validating crawler is gathering all documents, and scaling infra to accommodate total document counts. | |
Files.ReadWrite.All | Used to create and manage a webhook to subscribe to change notifications. | If Sites.Selected is used, this should not be needed. |
Permission | Reason |
---|---|
User.Read.All | List users in the tenant. This is used to assign permissions. |
GroupMember.Read.All | List members of groups in the tenant. This is used to assign permissions. |
Sites.Selected | This is required to grant the permissions below per site. See documentation. [link] [link] |
Reports.Read.All | This is used to get usage data to estimate crawl times. |
Field | Value |
---|---|
Name | Glean |
Supported account types | Accounts in this organizational directory only (Single tenant) |
Redirect URI | (Leave this field blank) |
-----BEGIN CERTIFICATE-----
and end with -----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
and end with -----END PRIVATE KEY-----
Field | Value |
---|---|
Name | Glean |
Supported account types | Accounts in this organizational directory only (Single tenant) |
Redirect URI | (Leave this field blank) |
Endpoint | Use Case | Documentation Link | Product |
---|---|---|---|
Token request (Graph API)https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token | Obtain and refresh an access token to interact with the Graph API using OAuth 2.0. | Token request - Microsoft Graph API | All |
Token request (SharePoint REST API)https://accounts.accesscontrol.windows.net/<tenant_id>/tokens/OAuth/2 | Obtain and refresh an access token to interact with the SharePoint REST API using OAuth 2.0. | Get to know the SharePoint REST service - SharePoint REST APIs | SharePoint |
Endpoint | Permissions | Use Case | Documentation Link | Product |
---|---|---|---|---|
List usershttps://graph.microsoft.com/v1.0/users | User.Read.All | List all the users within the tenant | List users - Microsoft Graph v1.0 | All |
List groupshttps://graph.microsoft.com/v1.0/groups | GroupMember.Read.All | List all the groups within the tenant | List groups - Microsoft Graph v1.0 | All |
List group membershttps://graph.microsoft.com/v1.0/groups/<group_id>/members | GroupMember.Read.All (or | Get the members of a group (to understand permissions). | List group members - Microsoft Graph v1.0 | All |
Get profilePhotohttps://graph.microsoft.com/v1.0/users/<user_id>/photo/$value | User.Read.All | Get the profile photo of a given user (for Azure people data crawl) | Get profilePhoto - Microsoft Graph v1.0 | Azure AD / Entra ID |
Get site groupshttps://<site_domain>.sharepoint.com/sites/<subsite_url>/_api/web/SiteGroups?$expand=Users | SharePoint REST permissions (FullControl) | Get the default site groups and associated user memberships for a site. | Determine SharePoint REST service endpoint URIs - SharePoint REST API | SharePoint |
Endpoint | Permissions | Use Case | Documentation Link | Product |
---|---|---|---|---|
List siteshttps://graph.microsoft.com/v1.0/sites/delta | Sites.FullControl.All (Sites.Read.All) | List all site collections within the tenant. Delta will currently only return site collections from the main geo-location if it is working in a multi-geo tenant per Microsoft guidance | List sites - Microsoft Graph v1.0 | SharePoint, OneDrive |
List subsiteshttps://graph.microsoft.com/v1.0/sites/<id>/sites | Sites.FullControl.All (Sites.Read.All) | List all the subsites within a site. Glean can scan recursively done until there are no more subsites | List subsites for a site - Microsoft Graph v1.0 | SharePoint, OneDrive |
List listshttps://graph.microsoft.com/v1.0/sites/<site_id>/lists | Sites.FullControl.All (Sites.Read.All) | List all the lists within the site | Get lists in a site - Microsoft Graph v1.0 | SharePoint, OneDrive |
List columnshttps://graph.microsoft.com/v1.0/sites/<id>/sites/<id>/columns | Sites.FullControl.All (Sites.Read.All) | List all columns within the site (attributes of site) | List columns in a site - Microsoft Graph v1.0 | SharePoint, OneDrive |
List items deltahttps://graph.microsoft.com/v1.0/sites/<id>/sites/ <id>/lists/ <id>/item /delta | Sites.ReadFullControl.All | List all items from the delta endpoint (returns some metadata REST API does not include, along with inheritance). To scan permissions hierarchies properly Sites. FullControl.All is required | listItem: delta - Microsoft Graph beta | SharePoint, OneDrive |
Get site list itemshttps://<site_domain>.sharepoint.com/sites/<subsite_url>/_api/web/lists('<list_id>')/item | SharePoint REST permissions (FullControl) | Get the items within a list for a site. Glean uses the REST API as some content for classic sites is only available via REST APIs | Determine SharePoint REST service endpoint URIs - SharePoint REST API | SharePoint, OneDrive |
Get site item permissions | SharePoint REST permissions (FullControl) | Get the permissions for an item on the site. SharePoint REST API is required for site pages / web parts, as Graph API only exposes permissions for Document Library items. | Determine SharePoint REST service endpoint URIs - SharePoint REST API | SharePoint, OneDrive |
Get page contenthttps://<site_domain>.sharepoint.com/sites/<subsite_url>/_api/web/GetFileById('<id>')/GetLimitedWebPartManager(scope=1)/ExportWebPart | SharePoint REST permissions (FullControl) | Get the web parts on a particular page (ie. blocks of content within text boxes, titles, etc.) | Determine SharePoint REST service endpoint URIs - SharePoint REST API | SharePoint, OneDrive |
Endpoint | Permissions | Use Case | Documentation Link | Product |
---|---|---|---|---|
List drives https://graph.microsoft.com/v1.0/sites/<site_id>/drives | Files.Read.All | List all the drives within a given site | List Drives - Microsoft Graph v1.0 | SharePoint, OneDrive |
Get driveItemhttps://graph.microsoft.com/v1.0/drives/<drive_id>/root/delta | Files.Read.All | List all the items within a drive (change-based as per Microsoft’s scanning guidance) | driveItem: delta - Microsoft Graph v1.0 | SharePoint, OneDrive |
Get driveItem resourcehttps://graph.microsoft.com/v1.0/drives/<drive_id>/items/<item_id> | Files.Read.All | Retrieve metadata for a driveItem. | Get driveItem - Microsoft Graph v1.0 | SharePoint, OneDrive |
Download filehttps://graph.microsoft.com/v1.0/drives/<drive_id>/items/<item_id>/content | Files.Read.All | Download content for a driveItem to index bodies | Download driveItem content - Microsoft Graph v1.0 | SharePoint, OneDrive |
Get permissionshttps://graph.microsoft.com/v1.0/drives/<drive_id>/items/<item_id>/permissions | Files.Read.All | Get the permissions of a given item within a drive | List who has access to a file - Microsoft Graph v1.0 . | SharePoint, OneDrive |
Endpoint | Permissions | Use Case | Documentation Link | Product |
---|---|---|---|---|
https://graph.microsoft.com/v1.0/users/<user_id>/insights/used | Sites.FullControl.All (Sites.Read.All) | Lists recent activities performed by the user on specific items (Drive items). Follows TTL policies. Usually up to 6mo in the past. | List used - Microsoft Graph v1.0 | SharePoint, OneDrive |
https://graph.microsoft.com/v1.0/users/<user_id>/insights/shared | Sites.FullControl.All (Sites.Read.All) | Lists recent sharing activity performed by users. Follows TTL policies. Usually up to 6mo in the past. | List shared - Microsoft Graph v1.0 | SharePoint, Onedrive |
Endpoint | Permissions | Use Case | Documentation Link | Product |
---|---|---|---|---|
Get OneDrive Usage: File Counthttps://graph.microsoft.com/v1.0/reports/getOneDriveUsageFileCounts(period='{period_value}' | Reports.Read.All | Get the total number of files across all sites and how many have been created, modified, and shared within the time period. | getOneDriveUsageFileCounts - Microsoft Graph API | SharePoint, OneDrive |
Get SharePoint Usage: Site Counthttps://graph.microsoft.com/v1.0/reports/getSharePointSiteUsageSiteCounts(period='{period_value}')' | Reports.Read.All | Get the total number of active sites within the time period. | getSharePointSiteUsageSiteCounts - Microsoft Graph API | SharePoint, OneDrive |
Get SharePoint Usage: User Counthttps://graph.microsoft.com/v1.0/reports/getSharePointActivityUserCounts(period='{period_value}')' | Reports.Read.All | Get the total number of active SharePoint users within the time period. | getSharePointActivityUserCounts - Microsoft Graph API | SharePoint, OneDrive |
Get SharePoint Usage: Pageshttps://graph.microsoft.com/v1.0/reports/getSharePointSiteUsagePages(period='{period_value}')' | Reports.Read.All | Get the number of pages viewed across all sites within the time period. | getSharePointSiteUsagePages - Microsoft Graph API | SharePoint, OneDrive |
Endpoint | Permissions | Use Case | Documentation Link | Product |
---|---|---|---|---|
Create a webhook subscription(HTTP POST) https://graph.microsoft.com/v1.0/subscriptions | Files.ReadWrite.AllGlean subscribes to the driveItem resource which requires (as least privilege) the Files.ReadWrite.All permission to create the subscription. | Create a change notification subscription to a given drive (see driveItem section in the documentation). | Create subscription - Microsoft Graph v1.0subscription resource type - Microsoft Graph v1.0 | SharePoint, OneDrive |
Reauthorize a webhook subscription(HTTP POST) https://graph.microsoft.com/v1.0/subscriptions/{subscriptionsId}/reauthorize | Files.ReadWrite.AllGlean subscribes to the driveItem resource which requires (as least privilege) the Files.ReadWrite.All permission for reauthorization. | Reauthorize a subscription after timeout when a reauthorizationRequired challenge is received. | subscription: reauthorize - Microsoft Graph v1.0 | SharePoint, OneDrive |
https://<domain>.sharepoint.com/sites/<siteName>
https://<domain>.sharepoint.com/sites/<siteName>
(/web/lists('<list_id>')/item)
(/web/lists('<list_id>')/items('<item_id>')/roleassignments)
(/web/GetFileById('<id>')/GetLimitedWebPartManager)
O365_CLIENT_ID_<X-1>
, where <X>
is the number of the additional apps for configuring. This is indexed at 0.
O365_CLIENT_ID_2
. For Additional App #6, the Key name will be O365_CLIENT_ID_5
. Etc.O365_CLIENT_ID_2
)
O365_CLIENT_SECRET_<X-1>
, where <X>
is the number of the additional app that are configured. This is indexed at 0.
O365_CLIENT_SECRET_2
. For Additional App #6, the Key name will be O365_CLIENT_SECRET_5
. Etc.O365_CLIENT_SECRET_2
)
The mapping of the Secret names to the fields from the standard SharePoint setup page is illustrated below.