Views:

Applies to Product - Power Pages


What’s happening?
Customers are concerned about the permissions required for integrating Power Pages with SharePoint, particularly regarding the potential for broad access to sensitive SharePoint site collections by all users of the Power Pages site.


Reason:
The integration requires permissions that may grant extensive access to SharePoint site collections, which raises security concerns for organizations handling sensitive and regulated data.


Resolution:

  • It has been confirmed that removing an owner from the portal app will not affect the application's runtime functionality or its integration capabilities with SharePoint. The concept of an 'owner' is primarily related to the management of operations rather than runtime processes. In scenarios where there is no designated owner, a global admin retains the ability to perform all necessary actions, ensuring no disruption to the service or its administration.
  • Customers can manually change the permission from "Sites.FullControl.All" to "Sites.Selected" to limit access only to specific SharePoint sites. This change is part of the product roadmap and will be implemented in the near future.
  • For security compliance, it is recommended that customers conduct their own security review processes before enabling SharePoint features, as these permissions are not enabled by default and require tenant admin approval.
  • The permission model allows for considerable control and is designed to restrict modification capabilities to a trusted group of administrators. Only global admins can add or modify keys to the application, ensuring that the application remains secure.
  • For further details on how to manage these permissions, customers can refer to the documentation Manage SharePoint documents | Microsoft Learn