Loading
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Update Microsoft App Registration to Use Minimum-Privilege Permissions

            You are here:

            1. Salesforce Help
            2. Docs
            3. Salesforce Contracts

            Update Microsoft App Registration to Use Minimum-Privilege Permissions

            If you previously set up the Microsoft Add-in by using advanced permissions such as Files.ReadWrite.All and User.ReadWrite.All, you can update your app registration to use Sites.Selected, User.Read, and User.ReadBasic.All. This reduces security risks, limits access to specific SharePoint sites, and supports simplified access management without impacting document generation.

            Required Editions

            Note
            Note To use the guided setup to integrate Microsoft 365 and Azure, see Set Up Microsoft 365 and Azure Integration Using Guided Setup.
            Available in: Lightning Experience
            Available in: Professional, Enterprise, Unlimited, and Developer Editions
            User Permissions Needed
            To modify API permissions and grant site access via Graph Explorer and update authentication scopes and app properties:

            CLM Admin User

            OR

            Microsoft 365 Admin

            AND

            Azure App Registration Owner

            Prerequisites:

            • Set up your Microsoft app registration to support Salesforce integration for document storage.
            • Identify the SharePoint site configured in ExternalDocStorageConfig for document storage.
            • Make sure you have access to Microsoft Graph Explorer.
            1. Remove write permissions from App Registration.
              1. Log in to Microsoft Azure.
              2. To go to App registrations, search for Azure AD B2C, click Manage, and select App registrations.
              3. Select your Salesforce app.
              4. Go to API permissions and remove Files.ReadWrite.All.
              5. Repeat the steps to remove User.ReadWrite.All.
            2. Add read permissions.
              1. In API permissions, select Add a permission > Microsoft Graph > Application permissions.
              2. Search for and add Sites.Selected, User.Read, and User.ReadBasic.All permissions.
              3. Click Grant admin consent.
            3. Retrieve your SharePoint site ID.
              1. Go to Graph Explorer and log in with your Microsoft credentials.
              2. Set the method to GET, API version to v1.0, and URL to: https://graph.microsoft.com/v1.0/me/followedSites
              3. Run the query and copy the id of the SharePoint site used for document storage.
            4. Grant the Microsoft Azure app access to your SharePoint site.
              1. In Graph Explorer, set the method to POST and the URL to: https://graph.microsoft.com/v1.0/sites/<site_id>/permissions.
              2. Replace <site_id> with the Share Point site ID.
              3. Go to the Modify permissions tab and ensure Sites.FullControl.All consent is provided.
              4. Paste this code in the request body: 
                {
  "roles": ["write"],
  "grantedToIdentities": [{
    "application": {
      "id": "<Application_Id>",
      "displayName": "Salesforce App"
    }
  }]
}
              5. Replace <Application_Id> with the Client ID from the Azure App Registration's Overview tab.
              6. Go to the Headers tab and add: Content-Type: application/json.
              7. Run the query to assign the permissions.
            5. Update the scope in Salesforce Auth Provider.
              1. From Setup, in the Quick Find box, enter Auth. Providers, and then select Auth. Providers.
              2. Edit the relevant Microsoft provider.
              3. Update the scope to: offline_access openid User.Read User.ReadBasic.All Sites.Selected.
              4. Save the changes.

            After updating the scopes, verify that document generation from Salesforce to the SharePoint site works as expected. Optionally, revoke Sites.FullControl.All from Graph Explorer permissions after site access is confirmed.

            See Also

             
            Loading
            Salesforce Help | Article