The process of building custom applications and tools that interact with Microsoft SharePoint, including SharePoint Online in Microsoft 365.
Based on your inquiry, I understand that your internal approval teams (such as the Identity Team) require explicit clarification regarding the consent popup displayed during the Prolaborate SharePoint Macro setup. Specifically, you need to verify the exact API calls, Microsoft Graph permissions requested (such as basic profile viewing and data access maintenance), and whether narrower scopes like Sites.Selected can be implemented to avoid broad, tenant-wide access.
To assist your internal review and approval process, I have broken down the architecture of our consent flow, the exact permissions invoked, and our proposed remediation paths.
Although the Prolaborate SharePoint web part exclusively communicates with custom Prolaborate backend APIs and does not directly query or extract data from Microsoft Graph, it operates on an On-Behalf-Of (OBO) flow managed by Microsoft Entra ID.
When a user interacts with the macro, the SharePoint web part requests an access token to communicate securely with the Prolaborate API backend. Entra ID generates a standard consent popup reflecting basic Graph scopes. This visual behavior can cause misunderstandings, as the UI displays generic Microsoft Graph permissions rather than explaining the custom background mechanics.
-Microsoft Entra ID Permission: User.Read
Permission Type: Delegated
Consent UI Display Text: "View your basic profile"
Technical Purpose in Prolaborate: Used strictly for Authentication and Single Sign-On (SSO). It reads the logged-in user's basic profile (such as UPN or Email) to establish a secure session into Prolaborate. It does not browse or read directory data.
-Microsoft Entra ID Permission: offline_access
Permission Type: Delegated
Consent UI Display Text: "Maintain access to data you have given it access to"
Technical Purpose in Prolaborate: Used for Session Maintenance. It allows the application to receive a refresh token, which prevents the user from being repeatedly prompted to re-authenticate every time the SharePoint page refreshes.
-Custom API Scope: access_as_user
Permission Type: Delegated
Consent UI Display Text: Configurable Custom Text
Technical Purpose in Prolaborate: Serves as a Secure API Gateway. It allows the SharePoint web part to securely call the Prolaborate backend services on behalf of the authenticated user.
Switching from Admin Consent to User Consent was intended to isolate approval to individual active users. However, we acknowledge that within highly secured financial tenants, User Consent is frequently restricted or disabled globally by tenant policies. When user consent is restricted, individual users cannot self-approve these basic scopes, causing the popup to become a workflow bottleneck for security teams who lack deep visibility into what access_as_user entails.
To provide immediate clarity to your Identity and Compliance teams, we are updating the display text of our custom API scope in the Entra ID App Registration. We recommend updating the description of the access_as_user scope to explicitly state its exact boundaries:
Updated Scope Description Example:
"Allows the Prolaborate SharePoint Macro to securely call Prolaborate backend services on behalf of the signed-in user to render architecture models and diagrams. No SharePoint data is read or modified."
To fully eliminate concerns regarding broad tenant access, I propose two distinct paths moving forward, highly recommended for strict banking compliance:
-Implementing the Sites.Selected Model
Instead of relying on broad delegated access, we can transition the integration to utilize the Microsoft Graph Sites.Selected application permission model.
The Prolaborate App Registration requests Sites.Selected as an Application-level permission. Your SharePoint or Global Administrator grants Admin Consent only once at the tenant level. This permission grants the app zero access by default across the tenant. Your IT security team runs a precise PowerShell script to grant the Prolaborate App ID permissions exclusively to explicit, designated SharePoint Site Collections where the macro is allowed to run. Security benefits include:
+Completely eliminates tenant-wide visibility.
+Provides granular, site-by-site control.
+Easily auditable by your internal compliance teams.
-Transitioning to a SharePoint Framework (SPFx) Package
If your organization utilizes modern SharePoint infrastructure, we can transition the deployment to a standard SharePoint Framework (SPFx) web part.
All required permissions are explicitly declared as plain text inside the package’s structural code configuration file (package-solution.json). When the solution is uploaded to your internal SharePoint App Catalog, it triggers the standard, built-in SharePoint Admin Approval Flow.Security benefits include:
+Permissions are reviewed and approved directly within the secure SharePoint Admin Center interface.
+Eliminates external, ambiguous Entra ID consent popups entirely for end-users.
Please let me know how your Identity team prefers to proceed, or if we can jump on a brief technical call to walk through the architecture diagram together.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.