SharePoint Online
Access Analyzer connects to SharePoint Online using certificate-based authentication through a pre-configured Microsoft Entra ID application. It accesses SharePoint Online through Microsoft Graph and the SharePoint REST API to enumerate sites, libraries, permissions, and sharing links.
Before adding SharePoint Online as a data source, you must register a dedicated Microsoft Entra ID application, grant it the required permissions, and upload a certificate generated by Access Analyzer.
Scan types
Access Analyzer supports two scan types for SharePoint Online:
| Scan type | Description |
|---|---|
| Access scan | Enumerates sites, document libraries, folders, and files. Collects permissions, ACLs, sharing links, and Microsoft Information Protection (MIP) sensitivity labels applied to SharePoint items. The first scan runs in full; subsequent scans collect only changes since the last run. |
| Sensitive Data scan | Reads file contents to classify sensitive data. Requires a completed Access scan — it uses the site and file inventory from the Access scan as its input. |
Before you begin
You need the following before adding SharePoint Online as a data source:
- A user account with the Global Administrator, Application Administrator, or Cloud Application Administrator role in Microsoft Entra ID, to register an application and grant admin consent for permissions
- A registered Microsoft Entra ID application with the required API permissions — see App Permissions in Entra
- Access to the Microsoft Entra admin center to upload the certificate generated during source group setup — see Certificate Configuration
When configuring the SharePoint Online source in Access Analyzer, you need the following values from your registered application:
- Application (client) ID
- Directory (tenant) ID
The certificate is generated by Access Analyzer during source group setup. You download it and upload it to your registered Microsoft Entra ID application before the connection can be tested.