■
In this article we'll cover key features and security permissions for Simpplr’s integration with Microsoft’s file sharing and collaboration solution, SharePoint. We will also provide step-by-step connection instructions for End users, Site managers, and Application managers.
Table of Contents
- Integration path
- What's the difference between SharePoint and OneDrive?
- Integration features
- Need to know before setup
- Security overview
- Set up SharePoint Admin account
- Connect SharePoint as an App manager
- Connect SharePoint as a Site owner
- Connect SharePoint as an End user
- FAQ
Integration Path
- Review the integration features below and decide specifications needed for your organization.
- Define the SharePoint structure your organization wants to use in connecting the integration.
- The SharePoint Admin/Global Admin connects the integration at the application level and the user level.
- Site owners connect their integration profile to their Simpplr profile.
- Site owners connect to the integration at the site level and select which SharePoint sites to share.
- Content teams add the correct files to their target SharePoint sites, and connect them to Simpplr content.
- End users connect their integration to their Simpplr profile.
- Now the files will be available for Site members to access.
What's the difference between SharePoint and OneDrive?
For many users these systems solutions are used in parallel and are often interconnected.
OneDrive is essentially an online folder system for personal file storage, but SharePoint includes many other features that are geared towards collaboration and team activities.
Office 365 now includes SharePoint features in its cloud platform, but you can also purchase SharePoint by itself as an on-premise solution.
For more information on the OneDrive integration, click here.
Integration features
- Connect your SharePoint site(s) to a Simpplr site to make the files within searchable by Site members.
- Attach files from your SharePoint directly to your content.
- Upload and download files to SharePoint from your intranet interface.
- Add folders to SharePoint from your intranet interface.
- Manage which documents are visible and available via your intranet while maintaining your robust file structure on SharePoint.
- Engage with files - Download, like, favorite, share, preview, and create new versions of files.
Need to know before setup
- The Microsoft/Azure Global Admin must be the first to connect their SharePoint account before other users do. This user will need to possess an Office 365 license in addition to having SharePoint Admin access. If this user is the same person with both roles, then follow the instructions below. If the Global Admin and SharePoint Admin are two different people, the Global Admin will need to connect their account first. They'll choose "consent on behalf of the organization" option. They may see an error stating, "SharePoint is not enabled". However, this is when the SharePoint Admin can connect. Once the SharePoint Admin connects, the error will no longer persist. They must do this at their Simpplr profile level. More information below in Set up SharePoint as an Application manager. The account you use to establish the connection should have "Email" listed in the Azure properties as well.
- Simpplr authenticates to Microsoft at the user level and respects the permissions created in Microsoft. A user will never see content they do not have rights to.
- In SharePoint, make sure limited-access user permission lockdown mode is deactivated. Otherwise, you won’t be able to link SharePoint files to Simpplr. To locate this setting, from SharePoint, go to Site Settings > Site Collection Features.
- Any documents connected to a site via SharePoint will be searchable and accessible to all site members who have access to those docs in SharePoint. If a site is public, all users of your intranet will have access to the SharePoint sites as long as they have access to the site in SharePoint.
- When searching for SharePoint files in the Files tab of a site, do not use the Search site files… bar. You must manually click into the folder containing the file you need.
- 60MB is the maximum file size that can be uploaded to Simpplr.
- Currently Simpplr does not support the ability to delete SharePoint document libraries from within your Simpplr instance.
- Only SharePoint permissions are respected with this integration. In other words, if you do not have access to view a file or folder in SharePoint, you will not have permission to it in your intranet.
Security overview
- To install the Simpplr app into SharePoint, the Microsoft Global Admin user must connect their account before any other users do. See below for further instructions. The Admin's OAuth tokens are NOT stored in Simpplr, and are only needed to provide consent to the rest of the users' connections.
- Once complete, each user will need to connect their account at the User Profile level in the Profile & settings section. Users will only need to connect their account once.
- File permissions do not change once sites are integrated with Simpplr. For more information on file permission levels within SharePoint, click here.
- Updating the Admin user's SharePoint password will not affect the integration in any way. No connections will be disrupted if you change your SharePoint password.
For full SharePoint integration security information, click here.
Permissions Being Asked from SharePoint/Microsoft
SharePoint will ask users to consent to several delegated permissions on behalf of Simpplr when connecting their accounts for the integration. These all must be approved in order for the integration to work correctly.
Permission Name | Permission required | Description | Impact if removed |
View your basic profile Read all users basic profiles |
User.ReadBasic.All | Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user. | Unable to sign in and use SharePoint services Users info on files and profile |
Access directory as the signed-in user | Directory.AccessAsUser.All | Allows the app to have the same access to information in the directory as the signed-in user. | Unable to search for and fetch files |
Have full access to all files you have access to Read and write your files |
Files.ReadWrite.All | Allows the app to read, create, update, and delete all files the signed-in user can access. | Unable to search for and fetch files |
Create, edit, and delete items and lists in all your site collections | Sites.Manage.All | Allows the app to manage and create lists, documents, and list items in all site collections on behalf of the signed-in user. | Unable to access basic organization structure and file listings with create permission |
Read and write items in all site collections | Sites.ReadWrite.All | Allows the app to edit or delete documents and list items in all site collections on behalf of the signed-in user. | Unable to access basic organization structure and file listings |
Sign-in and read user profile | User.Read | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | Unable to sign in and use SharePoint services |
Edit or delete items in all site collections | Sites.ReadWrite.All | A subset of Sites.Manage.All, this is specifically required for Update & Delete operations on SP document libraries. Simpplr only makes use of the Update operation to support: Allowing users with access to rename a linked SP document library or folders within the SP document library from Simpplr. |
Unable to access basic organization structure and file listings |
Set up SharePoint Admin account
Reminder, the Azure Global Admin and SharePoint Admin must be the first to establish a connection with SharePoint before anyone else can access the integration. If the Global Admin and SharePoint Admin are two different people, the Global Admin will need to connect their account first. They'll choose "content on behalf of the organization" option. They may see an error stating, "SharePoint is not enabled". However, this is when the SharePoint Admin can connect. Once the SharePoint Admin connects, the error will no longer persist.
To set up your SharePoint Admin profile (if not done so already):
-
Login to office.com
-
From the Admin center, go to Show all > Roles > Role assignments > SharePoint Administrator, then click the Assign roles tab. Click the Assigned tab and select Add users to assign the user(s) you wish to be Admin. Complete these same steps for the Global Administrator role if needed.
Note:
This step must still be completed even if you are already using the active SharePoint Global Administrator profile.Now you can connect SharePoint in Simpplr by following the steps below.
- Navigate to Profile & settings > Edit profile & settings > External apps.
- Enter your credentials for the SharePoint Admin account and sign in. Once signed in, you must set the permissions Access directory as the signed in user and Consent on behalf of your organization.
If the SharePoint Global Admin disconnects:
- The Simpplr application is not deleted.
- The folders linked by SharePoint Global Admin user to sites will be removed.
- End user connections will not be removed.
- New users of the same domain name can still connect to the integration as long as the domain is added under Manage > Application > Integrations > File management.
Connect SharePoint as an Application manager on Simpplr
As the Application manager, it is your responsibility to enable SharePoint on your company's intranet. Until the integration is set up at your permissions level, your Site owners and Content managers will not be able to access SharePoint. To allow Simpplr access to your SharePoint:
- From your Simpplr Home dashboard, navigate to your profile image and select Manage > Application.
- Go to Integrations > Domains. Scroll down until you see the Microsoft options, then click Add domain name. Select the SharePoint option. This will redirect you to the Microsoft permissions page, where you as the Global Admin will need to accept the required permissions for the integration to connect.
- Repeat the above step for each domain you'd like to connect.
- Click Save when you have all domains added and access permissions chosen.
Connect SharePoint as a Site owner on Simpplr
As a Site owner, it is up to you to enable SharePoint functionality at the site level. You also control the file upload permission settings for your site users. To do so, follow steps 1 and 2 from below (Connecting as an End user) to connect your Simpplr profile to SharePoint, then:
- Locate the site you want to connect with SharePoint for file storage. From Manage site, in the Setup tab, scroll down until you see External files. From the dropdown menu, select SharePoint files. Then scroll down and click Save.
Link SharePoint document libraries to your site
Graphic representation on how Simpplr sites connect to SharePoint sites.
Note:
Only a Site owner can link folders to a site, as long as they’re connected to SharePoint and the site is connected to SharePoint. If you can’t see the below options, you may not be the Site owner, or the site is not yet connected to SharePoint.- From your Simpplr site, select the Files tab.
- Click on the SharePoint files folder.
- Click Link SharePoint folder or document library.
- Select the SharePoint site and document library (if applicable) you wish to link to the Simpplr site. The sites you select will now be linked to the Simpplr site. If users do not link SharePoint files or folders to a site, they will not be able to view them or search for them in Simpplr.
Note:
Simpplr limits the number of top-level sites you can link to 15 per SharePoint instance. This is due to Simpplr's Search performance capabilities. If you link more than 15 top-level SharePoint sites (per instance), you won’t be able to search for SharePoint files in Simpplr. This limit doesn’t apply to document libraries.For a given Simpplr site, users can connect document libraries from any SharePoint site they have access to. There is no direct reference to the SharePoint sites in Simpplr. To link a document library, search for the SharePoint site > sub-site (if applicable) > document library. Folders are not counted in this limit as this count is just the number of linked document libraries.
Once SharePoint has been selected as file storage for a site, a folder named SharePoint Files will be automatically created in the Files tab. To add more folders to your site, follow the steps below:
For example, if you link 15 top-level sites (HR, Product, IT, etc.) that each contain 10 document libraries, all libraries will be searchable. But you can’t link more than 15 top-level sites. If the same document library is linked in more than one Simpplr intranet site, it will count as two connected document libraries.
No more than 300 document libraries can be linked across the entire platform. The limit of 300 is applicable org-wide for linked document libraries, and there is a limit of 15 document libraries per site.
If users do not have access to a document library linked to a site, they will see the name of the document library under Files on the site.
However, when they click into the library, they will see this:
If a user goes to a piece of content that includes a SharePoint file they don't have access to, they'll receive the same "Unable to display" message.
Unlinking document libraries
Users with requisite permissions may unlink a document library from a site. If a user tries to unlink a document library they don’t have access to, they’ll be shown an error message.
If the Site owner disconnects their own profile from SharePoint and then connects again:
-
- SharePoint will need to be reconfigured at the site level
- All pre-existing linked SharePoint Libraries will no longer be available to site members
Transferring site ownership
If you wish to transfer ownership of a site that uses SharePoint for file storage, the new owner must be in the same SharePoint instance (and their app must already be connected to SharePoint), or SharePoint must first be disconnected from the site.
If the current Site owner leaves/is deactivated, and a new Site owner has not connected their account to the SharePoint document library in question, nothing will happen to the document library.
There are three scenarios that can play out when updating site ownership:
- The new Site owner does not have a SharePoint account linked to their profile. This will cause an error when attempting to transfer ownership of the document library.
- The new Site owner has the same SharePoint account linked in their profile as the previous owner. The ownership is transferred and the document libraries are not removed.
- The new Site owner has a different SharePoint account linked in their profile. Site ownership is transferred, and the linked document libraries are not removed.
Connect SharePoint as an End user on Simpplr
Note:
The SharePoint admin has to connect at the user level before any other users in the organization. Until the admin has connected their account, other users won’t be able to connect to SharePoint.As a Simpplr Standard User/Content Manager, once your App manager has set up the connection with Simpplr, you will be able to attach, share, and edit files you have access to in SharePoint, all from within your Simpplr intranet. First you must enable SharePoint on your profile. To do so:
- Navigate to your user profile image and click Profile & settings. Once your profile is open, click Edit profile & settings.
- Click External apps, then next to SharePoint, click Connect account. Your files are now connected to Simpplr!
- Now when you create content and want to attach files, you'll be given the option to include files from your SharePoint account.
SharePoint file access across instances
Only files that are in your SharePoint instance:
- Will be returned in search
- Can be attached to content and feed posts
- Will be visible and/or accessible, depending on where the file is located in Simpplr
- SharePoint files in the site files tab and file detail page are only visible to users who connect to the same instance.
- SharePoint files in the file manager, or attached to content and feed posts are visible to all users, regardless of which instance they’re in, but can only be opened by users who connect to the same instance.
Top-level SharePoint document libraries in the site files tab are visible to all users, regardless of which instance they’re in, but can only be opened by users who connect to the same instance.
FAQ
Q: If the user's permissions change then is there a sync process to reflect their new permissions in Simpplr, or does it read realtime?
A: It is all real-time depending on how soon SharePoint updates its internal data sources. Simpplr doesn't store any data so everything is fetched in real time directly from SharePoint.
Q: Can End users update or delete SharePoint files from Simpplr?
A: No. End users cannot update or delete any files unless they have permissions to do so in SharePoint.
Q: What happens if the global account changes and we need to do some maintenance on the app?
A: Until the granted permissions to the Simpplr app for delegated access are revoked, global account changes shouldn’t have any effect.
Q: Is there a concept of a Simpplr admin that can log on and see everything in SharePoint document libraries regardless of delegated security?
A: No, that is not possible. Admin account tokens aren’t stored on Simpplr.
Q: What functionality would we lose if we restricted the Simpplr integration service account to read-only access to SharePoint?
A: We only use delegated access, so all actions are as a particular user not as Simpplr or the admin. The admin is used to grant consent to users to grant OAuth permissions. Users must connect their Simpplr account to their SP account from inside Simpplr, and in the process they are asked for OAuth permissions. For now, there is no specific option to change access permissions.
Q: Is there a way to use OIDC to pass needed user credentials instead of allowing the Simpplr integration to act on behalf of every employee?
A: We already do. We are not storing tokens of the admin account in Simpplr. So you can disconnect at the service account level, and everything will still work fine.
Q: What logging does Simpplr have in place to track actions the service account takes on behalf of my org's employees? Are these logs accessible to us (my company)?
A: None, and no. Reason being, Simpplr is not storing the access token of the service account or admin account. We only require it for providing the delegated consent, which will only be availed once users connect at the user level.
Q: If Simpplr, or the integration service account, were to be compromised, how could we identify non-standard behavior when the account exists to impersonate all our users and interact with their files/drives/email, etc? Is there additional logging Simpplr recommends we implement?
A: Service account credentials are only used for the global admin consent so others can connect their accounts, and can be disconnected after that.
Q: Instead of having one all-encompassing service account, could we separate out functionality to multiple service accounts? (one for SharePoint, one for Teams, one for Outlook, etc)
A: The service account is used only once for receiving consent from the GA account. You can disconnect the connection after providing consent. There is no need to have multiple service accounts.
Comments
Please sign in to leave a comment.