--- name: reference_remediation_tool_365_access description: The remediation-tool app suite has full M365 access (incl. SharePoint via cert); don't declare "no access" on an accessDenied metadata: type: reference --- The ComputerGuru remediation-tool apps collectively have **broad, working access across ALL of M365** — Graph, Exchange Online, Defender, AND SharePoint Online. When a call fails it's almost always wrong-tier / wrong-endpoint / not-consented / the SharePoint cert gotcha — **not** a real lack of access. Do NOT tell the user "the tool can't do X" without checking the live permission map first (decode the token `roles` claim). Key facts: - **SharePoint app-only requires a CERTIFICATE.** A `client_secret` token is rejected on every SharePoint endpoint (REST `/_api` and CSOM `/_vti_bin/client.svc/ProcessQuery`) with `"Unsupported app only token"`. The Tenant Admin app has a cert in the vault and holds SharePoint-resource `Sites.FullControl.All`. - `get-token.sh` now has **`sharepoint`** (content) and **`sharepoint-admin`** (tenant admin) tiers — cert-forced, tenant resource auto-resolved from Graph `/sites/root` (override `SP_RESOURCE_ENV`). Added 2026-07-01. - Graph `GET /admin/sharepoint/settings` needs `SharePointTenantSettings.Read.All`, which NO app holds → that route 403s. Read/write SharePoint tenant settings via the **CSOM admin API** (`sharepoint-admin` tier) instead. Tenant settings live on the Tenant object (TypeId `{268004ae-ef6b-4e9b-8425-127220d84719}`) — e.g. `SelfServiceSiteCreationDisabled`. - Restricting employee SharePoint site creation = `SelfServiceSiteCreationDisabled=true` (CSOM) AND restrict M365 Group creation (Entra `Group.Unified` directory setting via `user-manager`); neither affects edit rights on existing sites. Full detail (live per-tier permission map + CSOM examples): `.claude/skills/remediation-tool/references/app-permissions-and-sharepoint.md`. Surfaced by Syncro #32492 (Birth Biologic). See also [[feedback_syncro_billing]].