Sharepoint permission changes - Delegated to Application

If you have previously set up Office 365 Word integration using Delgated permissions, then the Sharepoint site itself may be accessible from the Office 365 online Word interface within the iCasework system or other areas of Microsoft Sharepoint, as your users are members of the Sharepoint group. If you work with confidential or sensitive data, then changing the permission level from Delegated access flow to Application-level flow will ensure users are not able to access the Sharepoint site and only iCasework will hold the link to access the Sharepoint group instead.

The instructions below assume you have previously set up Delegated permissions as documented at Office 365 Word Integration - Delegated permission flow.

Changing from delegated permission flow to application permission flow

1. Log into Microsoft Azure and select your iCW application

2. Navigate to API Permissions section and remove the current Group.ReadWrite.All permission

3. Navigate to the Azure Active Directory section, then click Groups. Access the group associated with your SharePoint site and remove all current users

4. In the API Permissions section of your new App registration, click Add a permission. Select Microsoft Graph >> Application permissions. "Type to search" for the permission: Sites.Selected, this will allow the application to access a subset of site collections without a signed-in user.  The specific site collections and the permissions granted will be configured in SharePoint Online.

5. Once the permission is added, you will need an Azure Admin to click on the "Grant admin consent ..." button, both in App registrations >> [Your App] >> API permissions, and also in Enterprise applications >> [Your App] >> Permissions, where an Enterprise application will have been created as part of the App registration process.

6. Go to https://developer.microsoft.com/en-us/graph/graph-explorer and sign in using your administrator account.

7. Create a POST request
   POST https://graph.microsoft.com/v1.0/groups/%5bGroup%20ID%5d/sites/root/permissions
   In the body of the request copy and paste the code below replacing the text in square brackets.
   
   

   {     "roles": [         "write"    ],     "grantedToIdentities": [         {             "application": {                 "id": "[Application Client ID]",                 "displayName": "[Permission description]"             }         }     ] }

   You will need to replace
   [Group ID] – Object ID of SharePoint site
   [id] – Client ID of the application
   [displayName ] – Permission description

8. Click on the modify permissions tab and open the permission panel. Search for sites and consent to the permission Sites.FullControl.All

9. Hit run query. You should receive an HTTP 201 Created response - if not, review the error and resolve.

10. Go back into Microsoft Azure Navigate to the "Certificates and secrets section" of your App registration. Click "New client secret" and set an appropriate expiry date. Supply the Secret to an iCasework analyst so they can configure this into your iCasework system.