commvault.com commvault.com
Solved

SharePoint Online API Permission incomplete

Michael Woodward
Rank
Userlevel 3
Badge +9

I have a customer protecting M365 with Commvault.  The Azure apps for SharePoint online are showing the following status issues:
 

Checking the application permission these permissions are granted via the Graph API as below:
 

 

When I look at our Metallic tenancy the SharePoint Online App permissions have two additional permissions granted:

Documentation for both on-premises & cloud doesn’t mention the SharePoint API permissions, but are these are what is required to clear the error in the app configuration?

 

API permissions listed for cloud: https://docs.metallic.io/metallic/request_and_grant_permissions_to_azure_apis_for_azure_app_for_sharepoint_online.html

 

On premises: https://documentation.commvault.com/2023e/essential/request_and_grant_permissions_to_azure_apis_for_azure_app_for_sharepoint_online.html

 

icon

Best answer by Michael Woodward 23 April 2024, 02:50

View original

10 replies

A
Rank
Userlevel 5
Badge +12

Hello @Michael Woodward 

Thanks for the great question! 
When it comes to the readiness of apps i always recommend being on the latest Feature release first if you are not already. Our latest LTS currently is FR32. Can you advise what version this environment is?

Can you also advise if backups are currently impacted by this alert or are the jobs working yet we are seeing these errors? 

Kind regards
Albert Williams

The best way to learn anything, is to question everything
Michael Woodward
Rank
Userlevel 3
Badge +9

Hello @Michael Woodward 

Thanks for the great question! 
When it comes to the readiness of apps i always recommend being on the latest Feature release first if you are not already. Our latest LTS currently is FR32. Can you advise what version this environment is?

Can you also advise if backups are currently impacted by this alert or are the jobs working yet we are seeing these errors? 

Kind regards
Albert Williams

Hi @Albert Williams ,

Thanks for the reply.

This environment is 11.32.42. Backups are running with just the occasional CWE which we get with SPO (but nothing out of the ordinary there).

 

The CVSPAutoDiscoverScan log file on the access node has the following logged when a permission check is performed:
 

3912  1     04/10 03:04:10 ### ### compareAzureAppPermissions - Permission id [678536fe-1083-478a-9c59-b99265e6b0d3] of Resource id [00000003-0000-0ff1-ce00-000000000000] is not assigned
3912  1     04/10 03:04:10 ### ### compareAzureAppPermissions - Permission id [df021288-bdef-4463-88db-98f22de89214] of Resource id [00000003-0000-0ff1-ce00-000000000000] is not assigned
3912  1     04/10 03:04:10 ### ### compareAzureAppPermissions - Permission id [678536fe-1083-478a-9c59-b99265e6b0d3] of Resource id [00000003-0000-0ff1-ce00-000000000000] is not assigned
3912  1     04/10 03:04:10 ### ### compareAzureAppPermissions - Permission id [df021288-bdef-4463-88db-98f22de89214] of Resource id [00000003-0000-0ff1-ce00-000000000000] is not assigned
3912  1     04/10 03:04:10 ### ### compareAzureAppPermissions - Permission id [678536fe-1083-478a-9c59-b99265e6b0d3] of Resource id [00000003-0000-0ff1-ce00-000000000000] is not assigned
3912  1     04/10 03:04:10 ### ### compareAzureAppPermissions - Permission id [df021288-bdef-4463-88db-98f22de89214] of Resource id [00000003-0000-0ff1-ce00-000000000000] is not assigned
3912  1     04/10 03:04:10 ### ### compareAzureAppPermissions - Permission id [678536fe-1083-478a-9c59-b99265e6b0d3] of Resource id [00000003-0000-0ff1-ce00-000000000000] is not assigned
3912  1     04/10 03:04:10 ### ### compareAzureAppPermissions - Permission id [df021288-bdef-4463-88db-98f22de89214] of Resource id [00000003-0000-0ff1-ce00-000000000000] is not assigned
3912  1     04/10 03:04:11 ### ### compareAzureAppPermissions - Permission id [678536fe-1083-478a-9c59-b99265e6b0d3] of Resource id [00000003-0000-0ff1-ce00-000000000000] is not assigned
3912  1     04/10 03:04:11 ### ### compareAzureAppPermissions - Permission id [df021288-bdef-4463-88db-98f22de89214] of Resource id [00000003-0000-0ff1-ce00-000000000000] is not assigned

 

The Permission ID’s match to the following:
df021288-bdef-4463-88db-98f22de89214 - Graph - User.Read.All - Application

678536fe-1083-478a-9c59-b99265e6b0d3 - Office SharePoint Online - Sites.Full.Control.All - Application

 

From looking at the permissions on the existing Apps I can see that we have User.Read (but not User.Read.All) of a delegated type, I should be able to get that updated to test if the warning disappears.  The other permission is the main one I would like to know why it’s being requested when it’s not documented (but Metallic/Commvault Cloud seems to add it via the express configuration method).

 

A
Rank
Userlevel 5
Badge +12

Hello @Michael Woodward 

 

Are you able to create a new application with the express configuration? 

To do this you will need to enter a global admin account with MFA disabled but it will get Commvault to create the application with all the required permissions it needs.
NOTE: This account can be removed after it has been used to create the app. 

 

You can then look at that app and compare it to the other apps to see the differences. 


Kind regards

Albert Williams

The best way to learn anything, is to question everything
Michael Woodward
Rank
Userlevel 3
Badge +9

Hello @Michael Woodward 

 

Are you able to create a new application with the express configuration? 

To do this you will need to enter a global admin account with MFA disabled but it will get Commvault to create the application with all the required permissions it needs.
NOTE: This account can be removed after it has been used to create the app. 

 

You can then look at that app and compare it to the other apps to see the differences. 


Kind regards

Albert Williams

Hi Albert,

Due to security reasons that’s not possible to use express configuration with a global admin account, hence why we’re following the documentation for custom configuration.

I think it may be necessary to log a support ticket to ask why these permissions are being requested / advised by Commvault when they are not documented. I noticed that there have been other questions asked here on the community without a proper “answer” yet:
 

If I get an answer via Support, I’ll update this post with the reasoning.

J
Rank
Userlevel 1
Badge +7

@Michael Woodward The documentation is incorrect on the sharepoint API permissions. in addition to the permissions specified in documentation you also need 

  • SharePoint.Applications.Sites['FullControl.All']
  • SharePoint.Applications.User['Read.All']

The M365helper tool that you can download to create the appregistrations(which also supports MFA) creates the right App registrations.

I created a case and had it confirmed a while back in case 240123-265 . I’ve also created a feedback on documentation.commvault.com page and gotten a reply that it will be revised on the next refresh of documentation. 

Michael Woodward
Rank
Userlevel 3
Badge +9

@Michael Woodward The documentation is incorrect on the sharepoint API permissions. in addition to the permissions specified in documentation you also need 

  • SharePoint.Applications.Sites['FullControl.All']
  • SharePoint.Applications.User['Read.All']

The M365helper tool that you can download to create the appregistrations(which also supports MFA) creates the right App registrations.

I created a case and had it confirmed a while back in case 240123-265 . I’ve also created a feedback on documentation.commvault.com page and gotten a reply that it will be revised on the next refresh of documentation. 

Thanks for this, I currently have a support ticket open 240410-52 which so far, I’ve got “you just need the graph API permissions” as the feedback and I had to be very explicit that we had those permissions, but it was still displaying the errors, but they are checking internally at the moment.  I’ll send and update with your case number as a reference, hopefully the more people flag this the quicker the update will be made to documentation.

This is very frustrating.

Michael Woodward
Rank
Userlevel 3
Badge +9

@Michael Woodward The documentation is incorrect on the sharepoint API permissions. in addition to the permissions specified in documentation you also need 

  • SharePoint.Applications.Sites['FullControl.All']
  • SharePoint.Applications.User['Read.All']

The M365helper tool that you can download to create the appregistrations(which also supports MFA) creates the right App registrations.

I created a case and had it confirmed a while back in case 240123-265 . I’ve also created a feedback on documentation.commvault.com page and gotten a reply that it will be revised on the next refresh of documentation. 

Thanks for this, I currently have a support ticket open 240410-52 which so far, I’ve got “you just need the graph API permissions” as the feedback and I had to be very explicit that we had those permissions, but it was still displaying the errors, but they are checking internally at the moment.  I’ll send and update with your case number as a reference, hopefully the more people flag this the quicker the update will be made to documentation.

This is very frustrating.

My case is currently being escalated to Development, when I get an answer on the request I’ll post back with the final status (but I suspect @John Robert your result will be what I get as well!).  Hopefully the end result is we get Documentation updated :)

J
Rank
Userlevel 1
Badge +7

@Michael Woodward I’m just curious why T1 and T2 support are not able to handle this without escalation to dev. Permissions should be quite set in stone and well documented.

But ofc it might be that there has been changes to what permissions they actually need and what they ask for. And this would also be good oppertunity to remove old permissions.

 

Michael Woodward
Rank
Userlevel 3
Badge +9

@Michael Woodward I’m just curious why T1 and T2 support are not able to handle this without escalation to dev. Permissions should be quite set in stone and well documented.

But ofc it might be that there has been changes to what permissions they actually need and what they ask for. And this would also be good oppertunity to remove old permissions.

 

Final update on this - The SharePoint Online API permissions are not required and the software is incorrectly asking for them, this will be resolved in a future release (eta is FR36/38) but in the meantime they have published a KB to detail the issue: https://kb.commvault.com/article/82930

 

J
Rank
Userlevel 1
Badge +7

@Michael Woodward Thanks for the update.

Reply


Terms & ConditionsCookie settings