Genesys Cloud - Developer Community!

Hello Community,

I am currently configuring a Knowledge Fabric connection using the SharePoint integration and have encountered a security concern regarding site visibility.

The Scenario

We are using a Service Account to authorize the connection. Per our internal security policy, this account has been granted access to only one specific SharePoint site.

The Issue

When navigating to the Content Selection page in Genesys Cloud, we can see all SharePoint sites within the tenant, regardless of the Service Account's specific site permissions.

I suspect this is caused by the mandatory Sites.Read.All Graph API permission required by the integration, as documented in the <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>Genesys Cloud Resource Center<response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>.

My Question

Has anyone successfully limited the scope of site visibility within the Genesys Cloud UI?

We need to ensure that Genesys users cannot browse sites that haven't been explicitly assigned to the integration. Leaving the entire tenant's site list exposed is a significant security concern for us.

Screenshot of the Content Selection page showing all sites:

Hello Community,

I am currently configuring a Knowledge Fabric connection using the SharePoint integration and have encountered a security concern regarding site visibility.

The Scenario

We are using a Service Account to authorize the connection. Per our internal security policy, this account has been granted access to only one specific SharePoint site.

The Issue

When navigating to the Content Selection page in Genesys Cloud, we can see all SharePoint sites within the tenant, regardless of the Service Account's specific site permissions.

I suspect this is caused by the mandatory Sites.Read.All Graph API permission required by the integration, as documented in the <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>Genesys Cloud Resource Center<response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>.

My Question

Has anyone successfully limited the scope of site visibility within the Genesys Cloud UI?

We need to ensure that Genesys users cannot browse sites that haven't been explicitly assigned to the integration. Leaving the entire tenant's site list exposed is a significant security concern for us.

Screenshot of the Content Selection page showing all sites:

Hello Sachin - 

To restrict access to only specific SharePoint sites, you will need to manage permissions at the Microsoft 365/Azure AD level rather than within Genesys Cloud.

1.Use Sites.Selected Permission in Azure AD App Registration:

• Replace the current Sites.Read.All permission with Sites.Selected
• Sites.Selected allows access only to SharePoint sites that have been explicitly granted to the application

2.Grant Site-Specific Permissions via Microsoft Graph API:

• Use PowerShell or Graph API to grant your registered application access only to specific SharePoint sites
• Identify the Site ID of your "Genesys Knowledge Fabric" site and assign read permissions only to that site

3.Implementation Location:

• Azure Portal > App registrations > Your Genesys integration app
• Coordination with your Microsoft 365 administrator will be required

Hello Community,

I am currently configuring a Knowledge Fabric connection using the SharePoint integration and have encountered a security concern regarding site visibility.

The Scenario

We are using a Service Account to authorize the connection. Per our internal security policy, this account has been granted access to only one specific SharePoint site.

The Issue

When navigating to the Content Selection page in Genesys Cloud, we can see all SharePoint sites within the tenant, regardless of the Service Account's specific site permissions.

I suspect this is caused by the mandatory Sites.Read.All Graph API permission required by the integration, as documented in the <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>Genesys Cloud Resource Center<response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>.

My Question

Has anyone successfully limited the scope of site visibility within the Genesys Cloud UI?

We need to ensure that Genesys users cannot browse sites that haven't been explicitly assigned to the integration. Leaving the entire tenant's site list exposed is a significant security concern for us.

Screenshot of the Content Selection page showing all sites:

Hi Dachin,

Restricting to site: all: selected will break the connector so the recommendation is site: all: read.

This reads the sites that the admin setting up the connection has access to and allows read access to those. 

More info on permissions needed can be found here: https://help.genesys.cloud/faqs/how-can-i-get-the-credentials-needed-for-the-sharepoint-knowledge-connect-integration/

Amanda

Hello Sachin - 

To restrict access to only specific SharePoint sites, you will need to manage permissions at the Microsoft 365/Azure AD level rather than within Genesys Cloud.

1.Use Sites.Selected Permission in Azure AD App Registration:

• Replace the current Sites.Read.All permission with Sites.Selected
• Sites.Selected allows access only to SharePoint sites that have been explicitly granted to the application

2.Grant Site-Specific Permissions via Microsoft Graph API:

• Use PowerShell or Graph API to grant your registered application access only to specific SharePoint sites
• Identify the Site ID of your "Genesys Knowledge Fabric" site and assign read permissions only to that site

3.Implementation Location:

• Azure Portal > App registrations > Your Genesys integration app
• Coordination with your Microsoft 365 administrator will be required

Hello Community,

I am currently configuring a Knowledge Fabric connection using the SharePoint integration and have encountered a security concern regarding site visibility.

The Scenario

We are using a Service Account to authorize the connection. Per our internal security policy, this account has been granted access to only one specific SharePoint site.

The Issue

When navigating to the Content Selection page in Genesys Cloud, we can see all SharePoint sites within the tenant, regardless of the Service Account's specific site permissions.

I suspect this is caused by the mandatory Sites.Read.All Graph API permission required by the integration, as documented in the <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>Genesys Cloud Resource Center<response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>.

My Question

Has anyone successfully limited the scope of site visibility within the Genesys Cloud UI?

We need to ensure that Genesys users cannot browse sites that haven't been explicitly assigned to the integration. Leaving the entire tenant's site list exposed is a significant security concern for us.

Screenshot of the Content Selection page showing all sites:

Hi @Amanda Halpin,

Thank you for your clarification. Based on those details, we are proposing the following approach:

1. SharePoint: We will create a Service Account with access restricted to a single site (we used this account earlier to send authorization request to MS)

2. Genesys: We will create the Service Account and grant this Service Account Admin privileges to configure the Knowledge Fabric integration.

3. Optimization: Once the setup is complete, we plan to deactivate the account in Genesys to ensure it does not consume a seat license.

Could you please confirm if you foresee any technical challenges or permission persistence issues with this approach?

Hi Dachin,

Restricting to site: all: selected will break the connector so the recommendation is site: all: read.

This reads the sites that the admin setting up the connection has access to and allows read access to those. 

More info on permissions needed can be found here: https://help.genesys.cloud/faqs/how-can-i-get-the-credentials-needed-for-the-sharepoint-knowledge-connect-integration/

Amanda

Hello Sachin - 

To restrict access to only specific SharePoint sites, you will need to manage permissions at the Microsoft 365/Azure AD level rather than within Genesys Cloud.

1.Use Sites.Selected Permission in Azure AD App Registration:

• Replace the current Sites.Read.All permission with Sites.Selected
• Sites.Selected allows access only to SharePoint sites that have been explicitly granted to the application

2.Grant Site-Specific Permissions via Microsoft Graph API:

• Use PowerShell or Graph API to grant your registered application access only to specific SharePoint sites
• Identify the Site ID of your "Genesys Knowledge Fabric" site and assign read permissions only to that site

3.Implementation Location:

• Azure Portal > App registrations > Your Genesys integration app
• Coordination with your Microsoft 365 administrator will be required

Hello Community,

I am currently configuring a Knowledge Fabric connection using the SharePoint integration and have encountered a security concern regarding site visibility.

The Scenario

We are using a Service Account to authorize the connection. Per our internal security policy, this account has been granted access to only one specific SharePoint site.

The Issue

When navigating to the Content Selection page in Genesys Cloud, we can see all SharePoint sites within the tenant, regardless of the Service Account's specific site permissions.

I suspect this is caused by the mandatory Sites.Read.All Graph API permission required by the integration, as documented in the <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>Genesys Cloud Resource Center<response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>.

My Question

Has anyone successfully limited the scope of site visibility within the Genesys Cloud UI?

We need to ensure that Genesys users cannot browse sites that haven't been explicitly assigned to the integration. Leaving the entire tenant's site list exposed is a significant security concern for us.

Screenshot of the Content Selection page showing all sites: