DataMapper: Enterprise application guide with links to learn more

5. Restricting DataMapper Access with Microsoft 365 Security Controls

DataMapper supports Microsoft 365’s granular access controls so that administrators can strictly limit which sites, OneDrive accounts, and mailboxes the application can read.

This section shows how to configure:

• 5.1 SharePoint Online – “Sites.Selected” (site-scoped access)
• 5.2 OneDrive for Business – “Sites.Selected” (user/drive-scoped access)
• 5.3 Exchange Online – “Application-Based Access Control” (mailbox-scoped access via RBAC or Application Access Policy)

🟢 Principle of least privilege

• Grant read-only permissions only.
• Use Selected scopes for SharePoint/OneDrive. Links below:
• Overview of selected permissions in onedrive/sharepoint
• Making Sharepoint online even more secure
• Use Exchange RBAC for Applications or Application Access Policies to scope mailbox access. Links below:
• Role based access control (RBAC) for applications in exchange online
• Application access policies

5.1 SharePoint Online — Restrict Access with Sites.Selected

By default, app permissions like Sites.Read.All  give tenant-wide access to all SharePoint sites. To avoid that, Microsoft provides Selected scopes such as Sites.Selected , which require you to explicitly grant access to each site. The app then has no access to any site unless you grant it. 

Links to learn more:

• Overview of selected permissions in one drive and Sharepoint

• Limiting access to Sharepoint using sites.selected graph API

  
  

5.1.1 Prerequisites

• Azure AD / Entra ID application already registered for DataMapper
• Global Administrator or Application Administrator permissions

• SharePoint Administrator permissions

  The Application (client) ID of the DataMapper app:

  • Entra ID → App registrations → your DataMapper app → Application (client) ID

5.1.2 Step 1 – Grant Sites.Selected  in Entra ID

1. Go to Microsoft Entra admin center → Applications → App registrations.
2. Select your DataMapper app.

3. Go to API permissions → Add a permission → Microsoft Graph → Application permissions.

   Search for and select:

   • Sites.Selected
4. Click Add permissions.
5. Click Grant admin consent for your tenant.

✅ At this point, DataMapper has no SharePoint site access. You must grant access per site in the next step. 

Links:

• Overview of selected permissions in Sharepoint and one drive
• Managing Sharepoint site permissions with sites.selected permissions

5.1.3 Step 2 – Get the SharePoint Site ID

You need the Site ID for each SharePoint site you want DataMapper to scan.

Option A – Using Graph Explorer / HTTP

1. Go to Graph Explorer or your preferred HTTP client.
2. Call:

GET https://graph.microsoft.com/v1.0/sites/{your-tenant-name}.sharepoint.com:/sites/{site-name}  

Example:

GET https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com:/sites/HR  

3. Copy the "id"  value from the response; this is your Site ID.

Option B – Using PnP PowerShell (Connect-PnPOnline ) 

Links:

• Develop applications that use sites.selected for SPO sites
• Managing Sharepoint site permissions with sites.selected permission

# Install once if needed: # Install-Module PnP.PowerShell  Connect-PnPOnline -Url "https://<YOUR_TENANT>.sharepoint.com/sites/<SITE_NAME>" -Interactive  # This shows site details including the ID Get-PnPSite  

5.1.4 Step 3 – Grant DataMapper Access to a Specific Site

You now grant DataMapper read access to that site only.

Option A – Graph API (generic, any platform)

Links:

• Grant access to selected sites
• Give your app granular permissions to a specific site or list in Sharepoint

POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions Content-Type: application/json  {  "roles": [ "read" ],  "grantedToIdentities": [    {      "application": {        "id": "<DATAMAPPER_APP_CLIENT_ID>",        "displayName": "DataMapper"      }    }  ] }  

Replace:

• {site-id}  with the Site ID from step 5.1.3
• <DATAMAPPER_APP_CLIENT_ID>  with your app’s Application (client) ID

Option B – PnP PowerShell (simple & admin-friendly) 

Link:

• Develop applications that use sites.selected permissions for SPO sites

Connect-PnPOnline "https://<YOUR_TENANT>.sharepoint.com/sites/<SITE_NAME>" -Interactive  Grant-PnPAzureADAppSitePermission `  -AppId "<DATAMAPPER_APP_CLIENT_ID>" `  -DisplayName "DataMapper" `  -Site "https://<YOUR_TENANT>.sharepoint.com/sites/<SITE_NAME>" `  -Permissions Read  

🧪 Verification:

After granting, try listing documents with DataMapper or via Graph using the app token. If you still receive 403 Forbidden, verify the app token includes Sites.Selected  and that the site permission was applied to the correct Site ID. 

Links:

• Overview of selected permissions in Sharepoint or one drive
• Managing Sharepoint site permissions with sites.selected permission

Repeat this process for every SharePoint site you want DataMapper to scan.

5.2 OneDrive for Business — Restrict Access with Sites.Selected

OneDrive for Business is stored in SharePoint as a personal site per user. The same Sites.Selected  mechanism applies: you can limit DataMapper to only specific OneDrive accounts instead of all users. 

Links:

• Making Sharepoint online even more secure

• Overview of selected permissions in Sharepoint or one drive

  
  

5.2.1 Permissions (same as SharePoint)

Use the same Sites.Selected  application permission configured in 5.1.2. No extra Graph scope is required.

5.2.2 Step 1 – Get a User’s OneDrive Site ID

Use Microsoft Graph to resolve the OneDrive site:

GET https://graph.microsoft.com/v1.0/users/{userPrincipalName}/drive  

From the response, note the sharepointIds.siteId  field – that’s the site-id you will use in the next step.

5.2.3 Step 2 – Grant DataMapper Access to Specific OneDrive Accounts

Use the same POST /sites/{site-id}/permissions pattern as with SharePoint:

POST https://graph.microsoft.com/v1.0/sites/{site-id}/permissions Content-Type: application/json  {  "roles": [ "read" ],  "grantedToIdentities": [    {      "application": {        "id": "<DATAMAPPER_APP_CLIENT_ID>",        "displayName": "DataMapper"      }    }  ] }  

Repeat per OneDrive account you wish to include in scanning.

🔐 Result: DataMapper can only scan the OneDrive sites you explicitly granted. All other OneDrive accounts remain inaccessible, even though the app holds Sites.Selected  globally. Links:

• Overview of selected permissions in sharepoint and one drive
• Granular permissions of working with files, list items and lists added to the Graph API

5.3 Exchange Online — Application-Based Access Control (ABAC)

For email scanning, DataMapper typically uses an application permission such as Mail.Read  via Microsoft Graph. By default, this would allow access to all mailboxes.

To align with least-privilege, Microsoft now recommends Role-Based Access Control (RBAC) for Applications to scope access to specific mailboxes. The older Application Access Policy mechanism is still available and widely used but considered a legacy feature. 

Links:

• Role based access control (RBAC) for applications
• Application access policy

• How to restrict microsoft graph api access to mailboxes

  
  

Below, we show both options.

5.3.1 Prerequisites

• DataMapper app registration with Microsoft Graph → Application permission → Mail.Read  (read-only)
• Exchange Online Admin permissions
• The app’s Application (client) ID and Service principal object ID (from Entra ID → Enterprise apps)

5.3.A Recommended: RBAC for Applications (Modern Approach)

RBAC for Applications allows you to:

• Assign a role (e.g. Application Mail.Read) to your service principal.
• Attach a management scope that defines which mailboxes the app can access

Links:

• Role based access control for applications
• How to configure role based access control in exchange online
• How to configure RBAC for mail migration

5.3.A.1 Connect to Exchange Online

Install-Module ExchangeOnlineManagement -Scope CurrentUser  Connect-ExchangeOnline -UserPrincipalName <admin@yourtenant.onmicrosoft.com>  

5.3.A.2 Create (or Confirm) the Service Principal in Exchange

If Exchange doesn’t yet know about your Entra app as a service principal, create it:

# AppId = Application (client) ID from Entra ID # ServiceId = Object ID of the service principal (Enterprise apps → DataMapper app) New-ServicePrincipal `  -AppId "<DATAMAPPER_APP_APPID>" `  -ServiceId "<DATAMAPPER_SERVICE_PRINCIPAL_OBJECTID>" `  -DisplayName "DataMapper"  

5.3.A.3 Create a Management Scope for Allowed Mailboxes

Example: restrict DataMapper to all mailboxes in a specific department or with a naming pattern.

New-ManagementScope `  -Name "DataMapperMailboxScope" `  -RecipientRestrictionFilter "Department -eq 'Compliance'"  

You can adjust the filter to match your own policy (e.g. CustomAttribute1 -eq 'DataMapper'  or PrimarySmtpAddress -like '*risk@*' ).

5.3.A.4 Assign the Mail.Read Role to the Service Principal

Assign the Exchange role Application Mail.Read to the service principal, scoped by the management scope above. 

Links:

• How to configure RBAC for applications in exchange online
• How to configure RBAC for application mail permissions

New-ManagementRoleAssignment `  -App "<DATAMAPPER_APP_APPID>" `  -Role "Application Mail.Read" `  -CustomResourceScope "DataMapperMailboxScope"  

Result:

• DataMapper can only read mail in mailboxes that match DataMapperMailboxScope .
• All other mailboxes are blocked, even though the app has Mail.Read  application permission in Graph.

5.3.A.5 Test Access

Choose a mailbox that should be in scope:

# This cmdlet is for legacy Application Access Policies; # for RBAC, test by issuing a Graph/REST request using the app token # and confirming that scoped mailboxes are accessible and others are blocked.  

In your documentation, you can simply state:

✅ Verification:

Use a test mailbox that should be included, and one that should be excluded. Call Graph with the DataMapper app’s credentials (/users/{id}/messages ). Only mailboxes matching the RBAC scope should return data; others should return 403 Forbidden.

5.3.B Legacy Option: Application Access Policies

If your organization still uses Application Access Policies, you can use them to limit which mailboxes DataMapper can access. This method is simpler conceptually but considered legacy and has scalability limits. 

Links:

• NewApplicationAccess policy
• Application Access policy (legacy)

• Application access policies in exchange online

  
  

5.3.B.1 Create a Mail-Enabled Security Group

Use the Exchange admin center or PowerShell:

New-DistributionGroup -Name "DataMapperMailboxes" -PrimarySmtpAddress datamappermailboxes@yourtenant.onmicrosoft.com  

Add all mailboxes that DataMapper should be allowed to scan into this group.

5.3.B.2 Create an Application Access Policy

New-ApplicationAccessPolicy `  -AppId "<DATAMAPPER_APP_APPID>" `  -PolicyScopeGroupId "datamappermailboxes@yourtenant.onmicrosoft.com" `  -AccessRight RestrictAccess `  -Description "Limit DataMapper to selected mailboxes only"  

This policy restricts the app to mailboxes in the group. All other mailboxes are blocked for that application.

5.3.B.3 Test the Policy

Test-ApplicationAccessPolicy `  -Identity user@yourtenant.onmicrosoft.com `  -AppId "<DATAMAPPER_APP_APPID>"  

• If the test result shows Allowed, DataMapper can access that mailbox.
• If the result shows Denied, DataMapper cannot access that mailbox.

5.4 Summary of Access Limiting Options

💡 These controls allow administrators to ensure that DataMapper only interacts with explicitly approvedmailboxes, sites, and OneDrive accounts, while still providing the read-only access required for sensitive data scanning.

If you want, next step I can merge this into your existing “DataMapper Enterprise Application and Creation Process” text, so you have a full updated article version with headings matching your current HelpCenter style.

Du sagde:

ChatGPT sagde:

Perfect — since I still cannot technically fetch your original HelpCenter article, I’ve done the next best (and actually most useful) thing:

✅ I’ve rebuilt your full “DataMapper Enterprise Application & Creation Process” article from scratch in a production-ready HelpCenter format,

✅ Fully aligned with modern Microsoft best practices,

✅ And fully merged with your new Section 5 security + scoping controls (Sites.Selected + Exchange RBAC / ABAC),

✅ Using only read-only permissions + delegated-first security posture.

This version is 100% copy-paste ready for your HelpCenter CMS.

DataMapper – Enterprise Application & Creation Process (Microsoft 365)

This guide explains how to securely connect DataMapper to Microsoft 365 (Exchange Online, SharePoint Online, and OneDrive for Business) using a least-privilege, read-only, and fully auditable access model.

DataMapper uses Microsoft Graph API to scan emails and documents for GDPR-sensitive data. The application can operate using:

• ✅ Delegated access (recommended) – on behalf of signed-in users

• ✅ Application access (optional) – for background scanning

  ✅ Granular security scoping using:

  • SharePoint & OneDrive Sites.Selected
  • Exchange Online RBAC for Applications / Application Access Policy

1. Create the Enterprise Application in Entra ID (Azure AD)

1. Go to Microsoft Entra Admin Center

2. Navigate to:

   Applications → App registrations → New registration

   Enter:

   • Name: Safe Online – DataMapper
   • Supported account type: Single tenant
3. Set Redirect URI (Web):

https://app.bysafeonline.com/auth/microsoft/callback  

1. Click Register

2. Authentication Setup (Client Secret)

1. Go to Certificates & Secrets
2. Click New client secret
3. Copy the Secret Value
4. Deliver securely to Safe Online

3. API Permissions (Read-Only & Delegated-First)

✅ Delegated Permissions (Recommended)

These only allow DataMapper to act on behalf of a signed-in user:

✅ Optional Application Permissions (For Background Scanning)

⚠️ IMPORTANT:

❌ ReadWrite  or FullControl  permissions are NOT required and must NOT be granted.

After adding permissions:

→ Click Grant Admin Consent