DataMapper: Enterprise application & Creation Process (updated)

Last updated: November 2025

This article explains how to connect DataMapper to your Microsoft 365 environment through Microsoft Entra ID (formerly Azure AD). It covers the Enterprise Application consent process, recommended access permissions, and how to limit access scope for optimal security and compliance.

1. Overview

DataMapper integrates with your organization’s Microsoft 365 services—such as Exchange Online, SharePoint Online, and OneDrive for Business—to enable secure data discovery and classification.

The integration is performed through Microsoft Entra Enterprise Applications. Each integration requires admin consent to allow DataMapper to scan the necessary data sources.

2. Applications Created

During onboarding, your organization will receive only the consent links required for the integrations you’ve selected.

The number of links depends on the services you enable:

• DataMapper core application → 1 consent link
• Outlook Global → 1 consent link
• SharePoint Global → 1 consent link

• Other connectors (such as OneDrive or additional data locations) → 1 link per integration

  
  

Each consent link corresponds to a single Enterprise Application that will be created in your Microsoft Entra tenant after consent is granted.

This flexible model ensures that only the necessary applications are deployed—nothing more—supporting a least-privilege and minimal-exposure approach.

3. Consent Process

1. A Global Administrator receives an email containing the required consent links for your organization’s chosen integrations.

   
   
2. For each link:
   • Sign in using a work or school account with Global Administrator privileges.
   • Review the requested permissions carefully.

   • Click Accept to grant consent.

     
     
3. Repeat this process for each link received.

Once completed, Microsoft Entra ID automatically creates the corresponding Enterprise Applications in your tenant.

4. Access Requirements and Best Practices

4.1 Minimize Application Permissions

DataMapper follows the principle of least privilege. Only the minimal permissions required for scanning should be granted.

• Avoid full organization-wide “read/write” or “all access” scopes.
• Use delegated permissions whenever possible rather than app-only or tenant-wide permissions.
• Global Admin consent is required to register applications, but the operational permissions can and should remain limited to the narrowest possible scope.

4.2 Read Access Is Sufficient for Scanning

For scanning and data discovery, DataMapper only needs read access.

• Write, modify, or delete permissions are not required.
• Examples:
  • Exchange Online → Mail.Read  or Mail.ReadBasic
  • SharePoint / OneDrive → Files.Read.All

Restricting permissions to read-only ensures that DataMapper can identify and classify information without modifying any content.

4.3 Delegated Access Best Practice

Wherever possible, configure DataMapper to use delegated access rather than broad “application-level” access.

Delegated access:

• Operates on behalf of individual users who have authorized it.
• Limits the scope of access to what those users can already see.
• Provides clear audit trails for accountability.
• Reduces risk if a token or account is ever compromised.

If a specific process requires app-only permissions (for example, global data scans), the reason should be documented and reviewed by your internal security or compliance team.

5. Limiting Application Access in Microsoft Entra ID

Microsoft provides several built-in methods to restrict the scope of what connected applications can access. Administrators are encouraged to apply these controls to further strengthen security.

5.1 SharePoint Online — “Sites Selected”

In the SharePoint Admin Center, configure Sites Selected for the DataMapper app registration.

This setting allows you to explicitly define which SharePoint sites the application can scan, rather than granting tenant-wide access.

5.2 OneDrive for Business — “Sites Selected”

Similarly, use Sites Selected for OneDrive to limit scanning to specific users’ OneDrive accounts or approved document libraries only.

5.3 Exchange Online — “Application-Based Access Control (ABAC)”

Use Application-Based Access Control to restrict which mailboxes or resources the application can read.

This provides mailbox-level control over which users’ data can be accessed by DataMapper.

💡 Tip: These restrictions can be configured through the Microsoft Entra Admin Center or via PowerShell. They enable precise control over which data locations DataMapper can interact with, fully aligning with organizational security and compliance policies.

6. Verification

After all required consents have been granted:

1. Open Microsoft Entra Admin Center → Enterprise Applications → All Applications.
2. Search for “DataMapper” and any connector applications you authorized.
3. Confirm that all appear and are enabled for users.
4. Once verified, your DataMapper environment will complete provisioning and begin scanning the approved resources.

7. Security and Privacy Notes

• DataMapper never stores or transmits user credentials.
• The integration uses Microsoft’s secure OAuth 2.0 consent framework.
• All permissions can be revoked at any time in Enterprise Applications within your tenant.
• Safe Online recommends reviewing granted permissions periodically and removing any unused connectors.

8. Summary

9. Key Takeaways

• Only necessary applications are created, based on selected integrations.
• Use delegated, read-only access wherever possible.
• Limit access scope using Sites Selected (SharePoint & OneDrive) and ABAC (Exchange).
• Follow least-privilege principles for all configurations.
• Review and audit Enterprise Applications regularly to maintain security and compliance.

Questions? Please reach out to our Customer Success team if you have any questions regarding the article above on how to add DataMapper in your Enterprise application in Microsoft Azure.

Write us at support@safeonline.dk