Permissions and Consent

MungePoint authenticates through Microsoft’s identity platform using standard OAuth2 with delegated permissions. This page explains which scopes are requested, why each one is needed, and when admin consent may be required.

How authentication works

MungePoint is a desktop application that uses the Microsoft Graph PowerShell first-party client ID for authentication. This means:

• No custom app registration is required in your Entra ID tenant.
• No service principal is created.
• No background agent runs in your tenant.
• Authentication uses the same OAuth2/MSAL flow as other Microsoft first-party tools.

When you click “Sign in with Microsoft,” a browser window opens for standard Entra ID authentication. MFA, Conditional Access policies, and session lifetime controls are all fully supported. MungePoint never sees or stores your password.

Scopes for read-only scanning

When MungePoint runs in scan-only mode (analyzing content and generating your Copilot Readiness Score), it requests these delegated scopes:

Scope	Purpose
Sites.Read.All	Enumerate SharePoint sites and read site metadata (titles, URLs, storage quotas).
Files.Read.All	Read file metadata across document libraries: names, sizes, modification dates, content hashes. Used for duplicate detection, staleness analysis, naming quality checks, and index noise identification.
User.Read	Read the signed-in user’s basic profile (display name, email). Used to identify the authenticated user in the MungePoint interface.

These scopes are delegated, not application-level. MungePoint can only access content your account already has permission to see. There is no privilege escalation beyond your existing SharePoint access.

Note

Read-only scanning with these three scopes typically does not require admin consent. If your tenant has been configured to restrict user consent for first-party apps, an admin may need to grant consent on first use.

Scopes for fix operations

When you use MungePoint’s cleanup features (deleting duplicates, renaming files, filling metadata, removing index noise), additional write scopes are required:

Scope	Purpose
Sites.ReadWrite.All	Write site-level metadata and manage list items. Required for metadata bulk fill operations.
Sites.Manage.All	Manage site structure, including list and library configuration. Required for certain cleanup operations that modify library settings.
Files.ReadWrite.All	Create, update, rename, and delete files across document libraries. Required for duplicate deletion, file renaming, and noise removal.

These scopes are also delegated. MungePoint can only modify content your account already has write access to. If your SharePoint permissions only allow read access to a particular library, MungePoint cannot write to it regardless of the scopes granted.

Caution

Write scopes are more likely to require admin consent, especially in tenants where user consent has been restricted. If MungePoint shows a “Need admin approval” screen when you attempt a fix operation, your tenant administrator will need to grant consent for those scopes. See the admin consent section below.

Admin consent

Admin consent may be needed in two situations:

1. Your tenant restricts user consent. Some organizations configure Entra ID to require admin approval for any delegated permission grant, even for first-party client IDs. In this case, an admin must consent to the scopes before any user can sign in.

2. Write scopes on first use. Even in tenants that allow user consent for read scopes, the write scopes (Sites.ReadWrite.All, Sites.Manage.All, Files.ReadWrite.All) may be classified as requiring admin consent depending on your tenant’s consent policy.

How to grant admin consent

1. Open the Entra ID admin center at entra.microsoft.com.

2. Navigate to Identity > Applications > Enterprise applications > Consent and permissions > Admin consent requests to see if a consent request from MungePoint is pending.

3. Alternatively, an admin can sign in to MungePoint directly. When the consent prompt appears, check “Consent on behalf of your organization” and click Accept. This grants consent for all users in the tenant.

4. After admin consent is granted, regular users can sign in and use MungePoint without seeing a consent prompt.

Token handling and security

• MungePoint stores OAuth tokens using the platform’s secure credential store (Windows Credential Manager or platform equivalent).
• Tokens are scoped to the specific permissions listed above and follow Microsoft’s standard token lifetime policies.
• Revoking access is done through Entra ID. Remove user consent or block the enterprise application in the Entra admin center to immediately invalidate tokens.
• MungePoint does not store tokens in plaintext, in config files, or in the local SQLite database.

Summary

Mode	Scopes	Admin consent typically needed?
Scan only	Sites.Read.All, Files.Read.All, User.Read	No (unless tenant restricts all user consent)
Scan + Fix	All of the above, plus Sites.ReadWrite.All, Sites.Manage.All, Files.ReadWrite.All	Often yes, depending on tenant consent policy