2.0 KiB
2.0 KiB
name, description, metadata
| name | description | metadata | ||
|---|---|---|---|---|
| reference_remediation_tool_365_access | The remediation-tool app suite has full M365 access (incl. SharePoint via cert); don't declare "no access" on an accessDenied |
|
The ComputerGuru remediation-tool apps collectively have broad, working access across ALL of
M365 — Graph, Exchange Online, Defender, AND SharePoint Online. When a call fails it's almost
always wrong-tier / wrong-endpoint / not-consented / the SharePoint cert gotcha — not a real
lack of access. Do NOT tell the user "the tool can't do X" without checking the live permission
map first (decode the token roles claim).
Key facts:
- SharePoint app-only requires a CERTIFICATE. A
client_secrettoken is rejected on every SharePoint endpoint (REST/_apiand CSOM/_vti_bin/client.svc/ProcessQuery) with"Unsupported app only token". The Tenant Admin app has a cert in the vault and holds SharePoint-resourceSites.FullControl.All. get-token.shnow hassharepoint(content) andsharepoint-admin(tenant admin) tiers — cert-forced, tenant resource auto-resolved from Graph/sites/root(overrideSP_RESOURCE_ENV). Added 2026-07-01.- Graph
GET /admin/sharepoint/settingsneedsSharePointTenantSettings.Read.All, which NO app holds → that route 403s. Read/write SharePoint tenant settings via the CSOM admin API (sharepoint-admintier) instead. Tenant settings live on the Tenant object (TypeId{268004ae-ef6b-4e9b-8425-127220d84719}) — e.g.SelfServiceSiteCreationDisabled. - Restricting employee SharePoint site creation =
SelfServiceSiteCreationDisabled=true(CSOM) AND restrict M365 Group creation (EntraGroup.Unifieddirectory setting viauser-manager); neither affects edit rights on existing sites.
Full detail (live per-tier permission map + CSOM examples):
.claude/skills/remediation-tool/references/app-permissions-and-sharepoint.md. Surfaced by
Syncro #32492 (Birth Biologic). See also feedback_syncro_billing.