sharepoint: transition to application permissions only

[tripodsan]

for accessing the sharepoint content source, a project can choose to either use a technical user (delegated permissions) or the ser vice principal of the franklin app (application permission). also see: https://www.aem.live/docs/setup-customer-sharepoint

using a technical user has several disadvantages:

• needs extra 365 license
• usually more problematic for IT to provision; also in respect to permission setup, eg when all employees have general read access.
• has lower rate limits that application
• needs re-registration when grant expires (eg after passwort rotation)
• operationally more problematic to manage, due to mfa/password sharing in a team
• IT more reluctant to grant admin consent to a technical user than to an application for a background service

using the application permissions has also some draw backs

• so far, ms only offers sites.selected permissions which grant read/write access to an entire sharepoint site (i.e. no finegrained permissions on folders)
• adding permissions for the app to a site is only possible via a POST request to the msgraph api (no UI)
• cannot be used for personal / onedrive / school accounts.

I propose that we discontinue the support for technical users and only allow the use of application permissions for sharepoint. (for google, we can still allow the users permissions). this would simplify the setup and I think make the IT of the customers more comfortable.

also, the adobe.com team shifting to application permissions only, mainly due to better rate limits.

so far we have:

summary 23.11.2023

• 165 configured connected users
• 54 customers that use their own sharepoint with a user
• 8 customers that use their own sharepoint with application permissions
• 21 adobe projects that use their own user
• 2 adobe projects that use application permission
• 0 projects that use onedrive
• 3 projects that use a personal site in adobe