To correctly index and secure SharePoint and OneDrive content in Outmind, certain Microsoft Graph permissions must be granted to the connector.
These are application permissions (Application permissions).
They must therefore be validated by a Microsoft 365 tenant administrator.
🔐 What are application permissions?
Unlike classic delegated permissions (tied to a signed-in user), application permissions allow Outmind to access tenant resources in a secure and automated way.
👉 They are not tied to any specific Microsoft account.
They allow Outmind to:
read and discover SharePoint sites
read and download documents and their metadata
reconstruct the access permissions of users and groups for each document
These permissions are essential to ensure that the rights applied in Outmind correctly reflect those defined in Microsoft 365.
📋 Required permissions
Sites.Read.All
Role
This permission allows Outmind to read SharePoint content from the tenant.
It is used to:
read the list of SharePoint sites
read associated drives/document libraries
track changes via delta endpoints
retrieve permissions applied to files and folders
Endpoints used
/sites/sites/{site_id}/drives/drives/{drive_id}/root/delta/drives/{drive_id}/items/{item_id}/permissions
Why this permission is required
Without this permission:
SharePoint sites cannot be listed
documents cannot be indexed
delta synchronisations do not work
file permissions cannot be reconstructed
👉 This permission is therefore essential for the SharePoint connector to function.
Group.Read.All
Role
This permission allows Outmind to resolve Microsoft 365 / Azure AD groups used in SharePoint permissions.
When Outmind retrieves the permissions of a file or folder, Microsoft Graph may return a group entity represented by a groupId.
Outmind must then query Microsoft Graph to retrieve the security identifiers associated with the group.
Endpoint used
/groups/{groupId}
Data retrieved
Including:
securityIdentifieronPremisesSecurityIdentifier
Why this permission is required
SharePoint permissions are often assigned via groups rather than user by user.
👉 Without this permission, Outmind cannot correctly reconstruct access rights inherited from Azure AD / Microsoft 365 groups.
User.Read.All
Role
This permission allows Outmind to resolve users present in SharePoint permissions.
When a permission contains a userId, Outmind must retrieve the information associated with that user.
Endpoint used
/users/{userId}
with the following select:
?$select=businessPhones,displayName,familyName,givenName,id,jobTitle,mail,mobilePhone,preferredLanguage,officeLocation,securityIdentifier,surname,userPrincipalName,onPremisesSecurityIdentifier
Data retrieved
Including:
displayNamemailuserPrincipalNamesecurityIdentifieronPremisesSecurityIdentifier
Why this permission is required
👉 This permission allows SharePoint permissions to be correctly associated with the relevant Microsoft 365 users.
Without it, user rights cannot be correctly reconstructed in Outmind.
🛡️ Security and access scope
Outmind uses these permissions solely to:
index authorised SharePoint content
reconstruct access permissions
synchronise document changes
apply document security in search and AI assistants
👉 The permissions retrieved are used exclusively for access control of indexed content.
🔄 Permission synchronisation
During delta synchronisations, Outmind:
detects new content or changes
retrieves the permissions of the file or folder
resolves the associated users and groups
updates access rights in the index
This ensures that:
a user only sees documents they have access to in Microsoft 365
permission changes are automatically propagated
📚 Microsoft documentation
General permissions reference
Microsoft Graph permissions reference https://learn.microsoft.com/en-us/graph/permissions-reference
Endpoint documentation
Get drive item permissions https://learn.microsoft.com/en-us/graph/api/driveitem-list-permissions?view=graph-rest-1.0&tabs=http