User based authentication

If you use user-based authentication, the following settings must be made in your Azure registration:

First, select API Permissions in the left navigation list and click Add Permission.

  • Select SharePoint as the API

  • Under Delegated Permissions, configure the permissions you want the user to delegate to TreeSize, and confirm the changes using the Done button.

  • If a permission has not been granted here, the user may not use TreeSize to perform the affiliated action, even though he would be allowed to do so with the web interface.

    • If a permission has been granted here, but not to the actual user, an affiliated action would still fail (the user won’t become any more privileges).

    • To access SharePoint pages, the allSites.Manage permission is required.

    • If you want to restrict the access to document libraries only, the AllSites.Read permission is sufficient.

    • To scan all site collections connected to a site, the privilege ‘Sites.Search.All’ is required.

    • To allow the user to upload files, the privileges ‘Read and write user files’ and ‘Read and write items and lists in all site collections’ may be required.

  • Click on Grant permissions to apply the changed permissions to your account.

  • Depending on which permissions you selected, the changes need to be approved by an administrator (grant admin consent).

Next, in order to use the SSO for domain-joined Windows (Windows Integrated Auth Flow) or the user credentials entered via TreeSize, the option Allow public client flows under Authentication -> Advanced settings needs to be enabled.

_images/Azure_advanced_settings.png

User permissions and permission levels in SharePoint Server

In order for a user to be able to scan SharePoint pages using TreeSize , the user must be granted certain permissions in SharePoint.

  • A user needs a permission level on the pages he is allowed to scan, which contains the website permission “Browse directories”.

  • If the standard permission levels are to be used, the user needs at least the permission level “Contribute” on these pages.

Note

The “SharePoint admin” role does not automatically grant a user access to all websites. If a SharePoint admin should be able to use TreeSize to scan SharePoint sites, please check the assigned permission levels here as well.

Tip

If a user is not able to connect to SharePoint via TreeSize despite the assigned permissions, please check if this user has a valid Office 365 license with access to the Microsoft Graph-API (e.g. Office 365 E3).