Our security team would like to know more about the recent changed to the O365 Update Item Permissions action. Why does it need tenant admin to provide the authorization?
Earlier the action used to work with SharePoint Admin permissions. In order to stop workflows from failing we have to make this change. Please provide any details you might know.
Solved! Go to Solution.
The connection made to perform the action uses delegate permissions, but in order for the oauth conneciton to be made it uses features within Azure app registration. So basically the Tenant Admin is granting the Nintex App the ability to use this api but within the confines of the app itself. Azure requires tenant admins to accept permission changes to apps similar to other apps.
Bottom line is, because now the action allows you to set the destination url, meaning you can connect to other site collections to change permissions, this needs a broader scope for 'tenant wide access'. Really its asking for access as wide as the account being used to make the connection can reach within sharepoint. It does not have the ability to grant this user making the connection admin rights to read/write anything within the tenant.
How did you work around this?
We've hit this now, after the User Admin connection stopped working. And we don't want to use a 365 Tenant Admin account on changes that could be made manually by anyone with just full list access.