Overview
This article explains the reasoning for the elevated privileges required by the SharePoint Online Connector for M-Files.
Details
Entra ID App SharePoint application will need certain rights to work correctly. More specifically, the application will need Sites.FullControl permissions.
Previously, SharePoint connections had two M-Files system users working as indexer user and permission retriever user. These users must also have enough permissions in the SharePoint side to work properly. Instead of root level admin, we need site-level admin rights for those users. This article will describe why this is recommended.
As of version 22.2.58.0 of the connector, the users discussed in this article (indexer user and permissions retriever) are replaced by one application principal who gets a "FullControl" level of rights. The logic for both situations is the same, these users still exist in the M-Files side, they just use a different principal on the SharePoint Online side.
Solution
Our SharePoint installation instructions are quite specific that IndexerUser and PermissionRetriever user should have SharePoint's Site Collection Administrator roles. Although seemingly some higher level users, like root level administrator would have the same permissions, especially inheritance logics and permissions to read user accesses might change the situation so that the root level admin does not have enough power to retrieve the needed information. For example, retrieving site dependent user permissions could be obstructed by site security settings.
Site Collection Administrator role does not care about inheritance or other such restrictions. That's why, although with the pain of being site dependent, Site Collection Administrator role works reliably in all parts of the site.
For versions 22.2.58.0 and later, the "Site Collection Administrator" role for individual users is replaced by one application principal with "FullControl" rights. The Sites.FullControl permissions are mandatory for the connector to work properly.
