Documentation Why Plumsail HelpDesk requires full control permissions during installation

Why Plumsail HelpDesk requires full control permissions during installation

In September 2024, we transitioned HelpDesk from a SharePoint Add-in to an Azure AD app, following the Microsoft’s announcement of SharePoint Add-In retirement in Microsoft 365. One of the major improvements is that this change eliminates the need to manually update the client secret, which means no more interruptions for HelpDesk due to client secret expiration.

However, it also introduces a new requirement during installation: the app needs temporary Full Control permissions for all SharePoint sites in your tenant. It is a technical necessity and not a design choice by Plumsail.

Note

We’ve tried to cover all the details in the article, but if you have any questions or need a hand with the installation, feel free to contact our support team at support@plumsail.com.

Why are Full Control permissions required?

While HelpDesk only needs permissions for one site, the Full Control permissions requirement is due to a limitation in Microsoft’s current APIs:

  • Microsoft Graph and SharePoint APIs do not yet support granting permissions to a single SharePoint site directly,

  • To assign permissions to just one site (where HelpDesk will be installed), we must first request tenant-wide Full Control during the initial setup.

How the permissions are used

The Full Control permissions are used only during the installation process:

  1. The installation wizard requests Full Control access,

  2. It configures the Azure AD app to have permissions only for the selected SharePoint site where HelpDesk is being installed,

  3. Once configuration is complete and the wizard is closed, all access tokens for Full Control are cleared from memory.

HelpDesk will only retain permissions for the specific SharePoint site selected during installation and it will not access or interact with other sites. You can always review and manage the granted permissions in your Microsoft Entra admin center (formerly Azure AD portal).

Your data and security

We take security seriously and do our best to keep your data safe. Take a look at our Data protection and security article to see how we manage it.

Hint

Check the article if you prefere to configure limited permissions manually.