Essential SharePoint Permissions for Seamless SyncEzy Integration

Essential SharePoint Permissions for Seamless SyncEzy Integration

                                                                                                      SharePoint Permissions

Overview : 
                        This document outlines the essential SharePoint site permissions required for SyncEzy integration, along with the reasons for requesting these permissions. It also provides guidance on verifying, assigning permissions, and addressing common queries related to the integration.

Please note: While you can check user permissions using the guidelines below, the recommended approach is to create a dedicated service user credential. This best practice, outlined in this article, only takes a few minutes and enhances security.

  SharePoint Permissions and Reasons (User Roles)


Scope/Permission

Description

Reason for Request

Full Control (Site Owners)Grants full control over the SharePoint site, including managing security, web parts, and navigation.Required to enable full administrative control for integration setup, including configuring the SyncEzy connection and managing sync settings.
Edit Permissions (Site Members)Allows users to add, edit, delete, and share content in SharePoint, including documents, pages, and events.Necessary for syncing content changes made by team members in SharePoint/Teams Channels back to connected systems such as Procore. This permission ensures that end-user changes trigger and propagate correctly through the integration.
Read-Only Access (Site Visitors)Provides view and download permissions without editing rights.Not typically required for syncing but can be used for users who need access to verify data syncs without modifying content.





Steps to Check and Grant Permissions

Check User Permissions

  1. Navigate to the SharePoint site.
  2. Click the Members button on the site homepage.
  3. Review the list of Owners and Members to verify the user’s role and access level.






Grant Permissions to Users

  1. Log in as a Site Owner or Administrator.
  2. Click on the Cog icon (Settings) > Site permissions > Advanced permission settings.
  3. Select the appropriate Group (Owners, Members, or Visitors) based on the user’s role.
  4. Click New > Add Users, then enter the email addresses of the users to be added.
  5. Click Share to save changes.


Technical Considerations for SyncEzy Integration

  • Permissions such as Full Control or Edit are required to enable SyncEzy to mirror user actions between SharePoint and integrated platforms like Procore.
  • Post-permission granting, there may be a delay of up to 24 hours for the site to appear in the SyncEzy configuration dropdown due to SharePoint API indexing.


FAQs
What Permissions are requested from SharePoint ?

You will come across this screen while authentication of the SyncEzy SharePoint integrations.  given below are the reasons for each of these permissions.


Permission (Display Text)Microsoft Graph / SharePoint Permission NameTypeWhat This Allows
Sign in and read user profileUser.ReadDelegatedAllows the app to identify the signed-in user and read basic profile info (name, email). Required for authentication only.
Edit or Delete items in all site collectionsSites.Read.AllApplicationAllows the app to read and discover items and metadata in SharePoint sites. Used to detect all sites to allow sync config to be setup.
Maintain access to data you have given it access tooffline_accessDelegatedAllows the integration to maintain authentication without forcing re-login. Ensures uninterrupted automatic syncing in the background.

Please find the detailed information about these permissions:

User.Read

  • Type: Delegated

  • What it allows: Read the signed-in user’s profile (such as name and email).

  • Why it’s required: SyncEzy needs to identify the authenticated user during login and associate that identity with the integration session. It does not grant access to SharePoint content by itself.

Sites.ReadWrite.All

  • Type: Application

  • What it allows: Read and write access across all SharePoint sites the signed-in user can access.

  • Why it’s required: This scope enables SyncEzy to:

    • Discover SharePoint sites and drives,

    • Navigate document libraries,

    • Create folders and upload files,

    • Edit or delete content as needed during synchronization.
      Without this, SyncEzy would not be able to perform two-way sync operations between SharePoint and connected systems.

  • ⚠️ Note: While this permission sounds broad, the actual access is limited by the user’s own SharePoint permissions — SyncEzy can’t access sites, libraries, or files that the user’s account isn’t authorized to see.
offline_access
  1. Type: Delegated
  2. What it allows: Issuing a refresh token so SyncEzy can stay signed in and continue syncing over time without requiring the user to re-authenticate frequently.
  3. Why it’s required: This enables long-running background syncs and ensures a seamless experience for ongoing automation.
Important Context
  1. These permissions are Required for two way sync in SharePoint/OneDrive automated sync integrations.
  2. The integration does not access anything outside the configured project libraries that are connected in the Sync configuration. 
  3. Access is limited by your SharePoint sharing/security model — the integration cannot see or modify what the service account itself cannot see.  Recommended best practice is to create a new service account user and give it access only to the sharepoint sites that need to be synced.
  4. The one-time step ensures that SyncEzy can access the SharePoint site to configure project integrations and facilitate seamless sync functionality.

How Secure Is the Integration?

  • SyncEzy does not have visibility into your SharePoint or Procore accounts. It only mirrors end-user actions triggered on either side of the integration.
  • Delete limits can be enforced by Admin.
  • For Sharepoint integrations, SyncEzy doesn't store any of the actual files on SyncEzy servers, only metadata is saved to SyncEzy servers
  • For any concerns, contact the SyncEzy Tech Specialist team via the 24/5 support icon.