Introduction
Firstly, and most importantly, we never see any data from your files when you publish to SharePoint Online or Teams. All connections for publishing from Instruction are directly between your instance and the Microsoft APIs.
The short explanation is when you publish to SharePoint Online or Teams through Instruction, it gets and sends all required information directly to the Microsoft via their Graph APIs. The application retrieves and sends on your behalf only what is required to make our integration function. Those permissions are as tightly scoped as we can make them, each of them is required for our seamless inbuilt publishing experience.
You can see what we need indivudual permission for, and a more in depth explination below.
For Microsoft SharePoint Online and Microsoft Teams
| Date | Version | Description |
|---|---|---|
| 23-Oct-2020 | 0.1 | Initial Version |
| 27-Oct-2020 | 0.2 | Auth Scopes Updated |
| 10-Nov-2020 | 1.0 | Release Version |
| 10-Nov-2020 | 1.1 | Link to Microsoft Annoucement |
| 20-Jan-2021 | 1.2 | New Libraries |
| 4-May-2021 | 1.3 | New Libraries, Admin Auth Link |
| 28-Jul-2021 | 1.4 | Change Organisation Name, emails |
| 23-Sep-2021 | 1.5 | Update SharePointOnline with WebProxy, SharePoint CSOM Lib change |
Applies to
| Date | Document Version | Runthru Version |
|---|---|---|
| 10-Nov-2020 | 1.1 | >=4.4.3353 |
| 20-Jan-2021 | 1.2 | >=4.4.3414 |
| 4-May-2021 | 1.3 | >=4.4.3597 |
| 28-Jul-2021 | 1.4 | >=4.4.3597 |
| 23-Sep-2021 | 1.5 | >=4.4.3958 |
Software Dependency Revisions
| Date | Document Version | Runthru Version | Library | Version |
|---|---|---|---|---|
| 23-Sep-2021 | 1.5 | >=4.4.3958 | Microsoft Graph .NET | 3.30.0 |
| 23-Sep-2021 | 1.5 | >=4.4.3958 | Microsoft Identity Client .NET | 4.30.1 |
| 23-Sep-2021 | 1.5 | >=4.4.3958 | Microsoft SharePointOnline CSOM .NET | 16.1.21610.12000 |
| 23-Sep-2021 | 1.5 | >=4.4.3958 | SharePointPnP.CoreOnline | 3.28.2012 |
| 23-Sep-2021 | 1.5 | >=4.4.3958 | SharePointPnP.IdentityModel.Extensions | 1.2.4 |
Background
Runthru's Microsoft SharePoint and Teams integration uses the Microsoft Graph to both query, and update data in the Microsoft 365 tenancy for a user.
Runthru uses published APIs and supported frameworks to implement these features.
This document outlines the APIs used, the Scopes and Permissions Permissions and consent in the Microsoft identity platform endpoint required by Runthru to function successfully.
Primary Contact for Changes
Note that as the software adds more features, later revisions of Runthru may change their use of these APIs. Please contact Runthru Support for the latest revision
.NET Libraries
Runthru is a Windows .NET desktop Application requiring .NET Framework 4.7.2 or later.
It is imperative that your organisation updates both the underlying operating system, and the .NET Framework up to date with Patches on a regular basis.
Please ensure the .NET Framework installed on the Windows PC is the latest, and up to date with Microsoft Security Updates. Microsoft Update Catalog
To access the Microsoft Graph, Runthru uses the following Microsoft created and maintained Libraries
Runthru does not use "home grown" Login, Authentication, Authorisation or Encryption code.
Documentation Sources
Microsoft SharePoint Online
Using the CSOM for Microsoft .NET Standard Libraries, the API framework provided by Microsoft does the Auth for a user, and storage and maintenance of any Tokens. Runthru does not store, nor see these tokens or passwords.
Runthru does store a link, on disk, to the URI of the SharePoint Online Site. This is encoded on disk using the Microsoft supplied DPAPI ProtectedData APIs. The file is encrypted with User Credentials.
This data is stored in %APPDATA\SidekickRunthru\Runthru.SharePointRecentSites.json
Microsoft Graph to Microsoft Teams
Access to all Microsoft Teams APIs is via the Microsoft supplied Microsoft Graph REST Documentation library. This is kept up-to-date as new revisions of Runthru are created.
Via the supplied Microsoft Graph API, Runthru does use the MSAL Cache Helper to securely cache the supplied Token to disk. This is stored in %APPDATA%\SidekickRunthru\MicrosoftAccountUserCache
Runthru does store a link, on disk, to the URI of the Microsoft Teams team. This is encoded on disk using the Microsoft supplied DPAPI ProtectedData APIs. The file is encrypted with User Credentials.
This data is stored in %APPDATA\SidekickRunthru\Runthru.MicrosoftTeamsLastContext.json
Microsoft Active Directory Application (Client ID)
The Runthru's (Linrock Software Pty Ltd) Runthru Azure Application/Client ID is
{56f25ee2-a616-42d7-a39d-48613a6f25ae}
Resource Specific Consent (RSC)
Microsoft's announcement of Resource Specific Consent for Microsoft Teams
During late 2019 through to the timing of writing, Microsoft is adding finer-grained consents to resources. This provides Administrators greater control over what a user can do with a Microsoft Active Directory token.
When requesting Scopes from Microsoft Active Directory, Runthru follows the rule of "minimum security required for the feature to operate". This ensures that the Token provided has the most minimum capabilities.
For more detailed information on Resource Specific Consent, refer: Resource Specific Consent
Scopes
Permissions to use these Endpoints are required for Runthru to function.
Refer: Microsoft Graph permissions reference
| Scope | Admin Consent Required* | Graph API Resource | Runthru Use |
|---|---|---|---|
profile |
(login) | ||
User.Read |
GET /me | Auth'd User Name eg: "Nick Hodge" | |
User.Read |
GET /organization | Auth'd User's Organisation Name eg: "Runthru Software" | |
User.ReadBasic.All |
GET /me/photo/$value | Auth'd User's Profile Photo | |
TeamMember.Read.All |
Yes | GET /teams/teamsId/members | List members of a Team |
Team.ReadBasic.All |
GET /me/joinedTeams | List of this user's joined Teams | |
Channel.ReadBasic.All |
GET /teams/id/channels | For a particular joined Team, list the Channels, including the OneDrive "Drive" location Files for this channel are stored | |
Channel.ReadBasic.All |
GET /groups/teamId/sites/root | For a specific joined Team, find the SharePoint Online "backing site" | |
Files.Read.All |
GET /drives/driveId/items/itemId/children | List the Files for a specific Channel (Microsoft Teams "Files" tab) | |
Files.ReadWrite.All |
GET /drives/driveId/items/itemId/children | List the Files for a specific Channel (Microsoft Teams "Files" tab) | |
Files.ReadWrite.All |
POST /group/teamId/drive/items/itemId/children | Upload .rthru, .docx, .pptx documents to a specific Channel (Microsoft Teams "Files" tab) |
|
TeamsAppInstallation.ReadForTeam |
Yes | GET /appCatalogs/teamsApps/appId | Get installed Teams Apps for this Channel for this User. Runthru uses this to create a Tab |
TeamsTab.Read.All |
Yes | GET /teams/teamId/channel/channelId/tabs | Get a list of Tabs installed for thsi Channel for this User |
TeamsTab.Create |
Yes | POST /teams/teamId/channels/channelId/tabs | Create a new Tab in this specific Channel |
ChannelMessage.Send |
POST /beta/teams/teamId/channels/channelId/messages | Create a new Post in the user's chosen Channel (see Posts tab in Microsoft Teams) |
*Admin Consent Required
What does "Admin Consent Required" mean?
Documentation: Granting tenant-wide admin consent to an application
Documentation: Request the permissions from a directory admin
Link to Grant These Permissions
An Administrator for your Office 365 Installation and/or Azure Active Directory can either consent from within Runthru, or click on the following URL