DataMapper: Enterprise application & Creation Process (updated)
Last updated: November 2025
This article explains how to connect DataMapper to your Microsoft 365 environment through Microsoft Entra ID (formerly Azure AD). It covers the Enterprise Application consent process, recommended access permissions, and how to limit access scope for optimal security and compliance.
1. Overview
DataMapper integrates with your organization’s Microsoft 365 services—such as Exchange Online, SharePoint Online, and OneDrive for Business—to enable secure data discovery and classification.
The integration is performed through Microsoft Entra Enterprise Applications. Each integration requires admin consent to allow DataMapper to scan the necessary data sources.
2. Applications Created
During onboarding, your organization will receive only the consent links required for the integrations you’ve selected.
The number of links depends on the services you enable:
- DataMapper core application → 1 consent link
- Outlook Global → 1 consent link
- SharePoint Global → 1 consent link
Other connectors (such as OneDrive or additional data locations) → 1 link per integration
Each consent link corresponds to a single Enterprise Application that will be created in your Microsoft Entra tenant after consent is granted.
This flexible model ensures that only the necessary applications are deployed—nothing more—supporting a least-privilege and minimal-exposure approach.
3. Consent Process
A Global Administrator receives an email containing the required consent links for your organization’s chosen integrations.
- For each link:
- Sign in using a work or school account with Global Administrator privileges.
- Review the requested permissions carefully.
Click Accept to grant consent.
- Repeat this process for each link received.
Once completed, Microsoft Entra ID automatically creates the corresponding Enterprise Applications in your tenant.
4. Access Requirements and Best Practices
4.1 Minimize Application Permissions
DataMapper follows the principle of least privilege. Only the minimal permissions required for scanning should be granted.
- Avoid full organization-wide “read/write” or “all access” scopes.
- Use delegated permissions whenever possible rather than app-only or tenant-wide permissions.
- Global Admin consent is required to register applications, but the operational permissions can and should remain limited to the narrowest possible scope.
4.2 Read Access Is Sufficient for Scanning
For scanning and data discovery, DataMapper only needs read access.
- Write, modify, or delete permissions are not required.
- Examples:
- Exchange Online →
Mail.ReadorMail.ReadBasic - SharePoint / OneDrive →
Files.Read.All
- Exchange Online →
Restricting permissions to read-only ensures that DataMapper can identify and classify information without modifying any content.
4.3 Delegated Access Best Practice
Wherever possible, configure DataMapper to use delegated access rather than broad “application-level” access.
Delegated access:
- Operates on behalf of individual users who have authorized it.
- Limits the scope of access to what those users can already see.
- Provides clear audit trails for accountability.
- Reduces risk if a token or account is ever compromised.
If a specific process requires app-only permissions (for example, global data scans), the reason should be documented and reviewed by your internal security or compliance team.
5. Limiting Application Access in Microsoft Entra ID
Microsoft provides several built-in methods to restrict the scope of what connected applications can access. Administrators are encouraged to apply these controls to further strengthen security.
This section ensures DataMapper only scans explicitly approved mailboxes, sites, and OneDrive accounts.
This section shows how to configure:
- 5.1 SharePoint Online – “Sites.Selected” (site-scoped access)
- 5.2 OneDrive for Business – “Sites.Selected” (user/drive-scoped access)
- 5.3 Exchange Online – “Application-Based Access Control” (mailbox-scoped access via RBAC or Application Access Policy)
🟢 Principle of least privilege
- Grant read-only permissions only.
- Use Selected scopes for SharePoint/OneDrive.
- Use Exchange RBAC for Applications or Application Access Policies to scope mailbox access. Links below:
5.1 SharePoint Online — Restrict with Sites.Selected
Step 1 – Assign Sites.Selected Permission
In App Registration → API Permissions:
- Add: Microsoft Graph → Application →
Sites.Selected - Grant Admin Consent
Step 2 – Get SharePoint Site ID
GET https://graph.microsoft.com/v1.0/sites/{tenant}.sharepoint.com:/sites/{sitename}
Copy the "id" field.
Step 3 – Grant Site Access to DataMapper
POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions { "roles": ["read"], "grantedToIdentities": [ { "application": { "id": "<DATAMAPPER_APP_ID>", "displayName": "DataMapper" } } ] }
✅ Repeat only for sites you approve
✅ All other SharePoint sites remain blocked
Links:
- Overview of selected permissions in Onedrive and Sharepoint
- Managing Sharepoint sites with Sites.selected permission
5.2 OneDrive for Business — Restrict with Sites.Selected
Each OneDrive is a personal SharePoint site.
Step 1 – Resolve OneDrive Site
GET https://graph.microsoft.com/v1.0/users/{user@domain.com}/drive
Use the returned sharepointIds.siteId .
Step 2 – Grant Access
POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions { "roles": ["read"], "grantedToIdentities": [ { "application": { "id": "<DATAMAPPER_APP_ID>", "displayName": "DataMapper" } } ] }
✅ Now only approved OneDrive accounts can be scanned.
5.3 Exchange Online — Mailbox-Level Access Control
You have two supported models:
✅ 5.3.A (Recommended) – Exchange RBAC for Applications
This is Microsoft’s modern security model.
Step 1 – Connect to Exchange
Install-Module ExchangeOnlineManagement Connect-ExchangeOnline
Step 2 – Create a Management Scope
New-ManagementScope ` -Name "DataMapperScope" ` -RecipientRestrictionFilter "Department -eq 'Compliance'"
Step 3 – Assign Mail.Read Role
New-ManagementRoleAssignment ` -App "<DATAMAPPER_APP_ID>" ` -Role "Application Mail.Read" ` -CustomResourceScope "DataMapperScope"
✅ Only mailboxes in this scope can now be scanned
✅ All others are blocked by Exchange itself
✅ 5.3.B (Legacy Option) – Application Access Policy (Still Supported)
Step 1 – Create Mail Security Group
New-DistributionGroup -Name "DataMapperMailboxes"
Add allowed users to this group.
Step 2 – Create Policy
New-ApplicationAccessPolicy ` -AppId "<DATAMAPPER_APP_ID>" ` -PolicyScopeGroupId "DataMapperMailboxes@yourdomain.com" ` -AccessRight RestrictAccess
Step 3 – Test
Test-ApplicationAccessPolicy ` -Identity user@domain.com ` -AppId "<DATAMAPPER_APP_ID>"
✅ Final Security Summary
| Area | Control |
|---|---|
| Authentication | OAuth 2.0 + Client Secret |
| Exchange RBAC / Access Policy | |
| SharePoint | Sites.Selected |
| OneDrive | Sites.Selected |
| Permissions | Read-only only |
| Default Scope | Zero-access until approved |
| Auditability | Full Azure Activity Logs |
6. Verification
After all required consents have been granted:
- Open Microsoft Entra Admin Center → Enterprise Applications → All Applications.
- Search for “DataMapper” and any connector applications you authorized.
- Confirm that all appear and are enabled for users.
- Once verified, your DataMapper environment will complete provisioning and begin scanning the approved resources.
7. Security and Privacy Notes
- DataMapper never stores or transmits user credentials.
- The integration uses Microsoft’s secure OAuth 2.0 consent framework.
- All permissions can be revoked at any time in Enterprise Applications within your tenant.
- Safe Online recommends reviewing granted permissions periodically and removing any unused connectors.
8. Summary
| Step | Description | Security Focus |
|---|---|---|
| 1 | Receive only the consent links for required integrations | Reduces unnecessary exposure |
| 2 | Global Admin grants consent | Review each permission carefully |
| 3 | Configure delegated, read-only access | Prevents write or modification rights |
| 4 | Apply Sites Selected / ABAC controls | Limits scope to approved users and sites |
| 5 | Verify applications in Entra ID | Ensure correct setup and auditing |
9. Key Takeaways
- Only necessary applications are created, based on selected integrations.
- Use delegated, read-only access wherever possible.
- Limit access scope using Sites Selected (SharePoint & OneDrive) and ABAC (Exchange).
- Follow least-privilege principles for all configurations.
- Review and audit Enterprise Applications regularly to maintain security and compliance.
Questions? Please reach out to our Customer Success team if you have any questions regarding the article above on how to add DataMapper in your Enterprise application in Microsoft Azure.
Write us at support@safeonline.dk