Sharepoint & OneDrive

Grant the Teleskope App Microsoft Graph API scopes

Navigate to your App Registration, then Manage -> API Permissions, and assign the following Graph API scopes via Application Permissions:

• Directory.Read.All – read users, groups, directories to map identities

• ExternalUserProfile.Read.All – identify guest/external users

• Files.Read.All – read files for discovery/scanning/classification

• Group.Read.All – list groups to analyze access

• GroupMember.Read.All – enumerate membershjip for permission inheritance

• RoleManagement.Read.All – understand privileged roles

• SharePointTenantSettings.Read.All – inspect tenant-wide settings (e.g., sharing rules)

• Sites.Read.All – enumerate SharePoint sites to index and crawl content

• User.Read.All – get user properties

Optional Permissions to enable features in 'Policy Maker'

• InformationProtectionPolicy.Read.All – read Purview labels/policies

• Files.ReadWrite.All – enable remediation such as applying Purview sensitivity labels, quarantining, or deletion

If you enable Policy Maker actions that apply or remove Purview sensitivity labels, also enable metered APIs and services in Microsoft Graph for the Teleskope app registration. Microsoft treats the SharePoint and OneDrive assignSensitivityLabel API as a metered Graph API, so Graph permissions and admin consent alone are not sufficient for that action.

Lastly, grant admin consent to all of the permissions.