SProbot is built and run on a foundation of security and privacy.
We employ a range controls, processes, and technologies to safeguard data, maintain privacy, and ensure compliance.
1. Permissions overview
SProbot accesses data within SharePoint and Teams on your tenant to generate metrics, dashboards, reports and recommended actions.
It then enables SProbot tenant administrators to improve data hygiene and security by performing cleanup and other administrative actions, which are in turn executed on the tenant by the SProbot app.
This page explains how the permissions are granted to enable this functionality.
2. Roles
There are four types of roles in SProbot:
SProbot account admins who create and manage a collection of tenants.
SProbot tenant admins who use the cleanup, reporting and provisioning functionality to perform various admin tasks on a tenant.
Privileged accounts which are used to create a connection to a tenant.
Tenant users who interact with the Teams app or embedded SharePoint web part to search, review and action to-do items, and request workspaces..
2.1. SProbot account admins
You need a Microsoft account to sign into SProbot. It does not need to be an account on a tenant (commonly referred to as a Work or School account) and can be a personal Microsoft account, but if you're reading this, it's very likely that your account will be an Entra ID account on a tenant.
When you sign in for the first time, we create an SProbot account admin profile for you. At this point you do not yet have the ability to perform any actions on any tenant.
SProbot account admins can have the SharePoint admin role assigned to them within their tenant, but it is not a prerequisite to using the full functionality within the system. They can run reports and perform all of the related configuration and management without being a SharePoint admin on the tenants they create connections to.
The first time you sign into SProbot to use it as an account admin, you need to provide this consent:
Sign you in and read your profile - Allows you to sign into SProbot and lets the app read your basic profile information listed below.
Maintain access to data you have given it access to - Allows SProbot to see and update the information it gets from your profile even while you are not using the app.
Your basic profile information is your name, email address and user ID. This is the only personal information SProbot has access to.
2.2. SProbot tenant admins
SProbot account admins can create connections to multiple tenants.
When a connection to a tenant is successfully created, the tenant is associated to the creating SProbot account admin user. This user automatically get the SProbot tenant admin role on the tenant.
Additional users on a tenant can be assigned the SProbot tenant admin role. Guest users cannot be assigned this role.
At the point of creation, the SProbot account admin needs to authenticate to the tenant using a privileged account with either of the following roles assigned to it:
Global Administrator
Privileged Role Administrator
If the SProbot account admin user has these roles assigned to it, it can grant permissions using it. If it does not have these roles assigned, you will need to authenticate using a separate account which does have these elevated permissions assigned.
When you authenticate, a once-off permission grant is performed. During this process, an app registration is created for SProbot on the tenant and the privileged account grants the following permissions to the app registration:
Sign in and read user profile
Add and remove members from all channels
Read all channel messages
Read and write all groups
Read all published labels and label policies for an organization
Read all usage reports
Read and write all admin report settings
Have full control of all site collections
Create, edit, and delete items and lists in all site collections
Read and write items in all site collections
Get a list of all teams
Add and remove members from all teams
Read all available Teams Templates
The prompt looks like this:
When you grant this consent, you give the SProbot app the ability to manage content within the tenant. SProbot needs this access to be able to provision sites and teams and then manage them. Please read our Privacy Notice and Terms of use for more information about your rights and obligations around this.
Important to note:
SProbot never has access to or stores account credentials.
Granting consent is a one-off action and only needs to be repeated if there is a change to the permissions required by SProbot due to new or updated functionality. If an update action is required, you'll see a Permission Updated Needed dialog when you open a tenant, with a "Start new permission acceptance" button.
Once you have created a tenant connection, the SProbot account admin and SProbot tenant admin users do not connect to SharePoint directly to run reports or perform admin actions, the SProbot app does this on their behalf.
2.3. Tenant users
Normal users on your tenant only interact with the SProbot Teams app, which is deployed to the tenant when creating the tenant connection. The first time a user opens the Teams app, they need to accept the most basic level of app permissions:
View your profile
Maintain access to data you have given it access to
This permission is needed only to authenticate the user with OAuth and enable them to access the directory, request workspaces and view any actions assigned to them. SProbot only stores the user's first name, last name, and email address. We do not store or ever have access to any credentials themselves.
SProbot will automatically communicate with tenant users to notify them about builds, cleanup actions and other actions they need to take, but will never communicate with them about anything else.
