Files
claudetools/.claude/memory/reference_remediation_tool_365_access.md
Mike Swanson 6f7f939a62 sync: auto-sync from GURU-5070 at 2026-07-01 09:32:17
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-07-01 09:32:17
2026-07-01 09:33:09 -07:00

2.0 KiB

name, description, metadata
name description metadata
reference_remediation_tool_365_access The remediation-tool app suite has full M365 access (incl. SharePoint via cert); don't declare "no access" on an accessDenied
type
reference

The ComputerGuru remediation-tool apps collectively have broad, working access across ALL of M365 — Graph, Exchange Online, Defender, AND SharePoint Online. When a call fails it's almost always wrong-tier / wrong-endpoint / not-consented / the SharePoint cert gotcha — not a real lack of access. Do NOT tell the user "the tool can't do X" without checking the live permission map first (decode the token roles claim).

Key facts:

  • SharePoint app-only requires a CERTIFICATE. A client_secret token is rejected on every SharePoint endpoint (REST /_api and CSOM /_vti_bin/client.svc/ProcessQuery) with "Unsupported app only token". The Tenant Admin app has a cert in the vault and holds SharePoint-resource Sites.FullControl.All.
  • get-token.sh now has sharepoint (content) and sharepoint-admin (tenant admin) tiers — cert-forced, tenant resource auto-resolved from Graph /sites/root (override SP_RESOURCE_ENV). Added 2026-07-01.
  • Graph GET /admin/sharepoint/settings needs SharePointTenantSettings.Read.All, which NO app holds → that route 403s. Read/write SharePoint tenant settings via the CSOM admin API (sharepoint-admin tier) instead. Tenant settings live on the Tenant object (TypeId {268004ae-ef6b-4e9b-8425-127220d84719}) — e.g. SelfServiceSiteCreationDisabled.
  • Restricting employee SharePoint site creation = SelfServiceSiteCreationDisabled=true (CSOM) AND restrict M365 Group creation (Entra Group.Unified directory setting via user-manager); neither affects edit rights on existing sites.

Full detail (live per-tier permission map + CSOM examples): .claude/skills/remediation-tool/references/app-permissions-and-sharepoint.md. Surfaced by Syncro #32492 (Birth Biologic). See also feedback_syncro_billing.