Security and Trust in WrepitOverview of Security, Privacy and Architecture

Microsoft Graph has 2 different sets of permissions: application permissions and delegated permissions. Application permissions allows the application to act as any user, whereas delegated permissions allows only signed-in users of the application.

All permissions requested by Excel2Word by Wrepit are delegated permissions. The add-in is run in a sandboxed browser environment on the user’s computer. Thus the permissions for the user of the add-in are limited by both the MS Graph permissions and the MS 365 user’s permissions.

By using delegated permissions, users of the add-in will never have access to anything they wouldn’t otherwise have access to in your organization’s Microsoft 365 tenant. Since Excel2Word by Wrepit only accesses Excel files in your organization, the user can only access Excel files that have been shared directly with the user.

Please refer to the Microsoft Graph permissions docs for more details on delegated permissions.

Excel2Word by Wrepit requires the following permissions, following the least necessary access principle:

• Sign in and read user profile (User.Read)
  • Used to sign in to the add-in and read the user profile
• Either Files.Read.All or Sites.Selected
  • Used to read Sharepoint Share links to Excel files, and to retrieve the contents of the Excel file.
  • Read all files that user can access (Files.Read.All)
  • Access selected Sites, on behalf of the signed-in user (Sites.Selected)
    • With this option the IT Administrator must explicitly grant access for the add-in to specific Sharepoint sites. In practice this means you can limit the add-in’s access to e.g. a specific Teams group or sub-site of your Sharepoint and thereby manage your organization’s risk exposire.

Please refer to the Microsoft Graph Permissions reference for full details on what permissions scopes grants access to what, as well as a full explainer from Microsoft on app permissions and admin consent.

After having received the MS Graph permissions, the add-in uses your MS Graph API to call the following API endpoints:

• Users → User → Get (/me): To display basic user information in the add-in.
• Files → Permissions → Use Sharing Links combined with Files → Drive Items → Get Item: To get the Excel file from a Sharepoint Sharing Link and read its contents.
• Workbooks → Range → Get Range: To get data from named Excel ranges.

Since the add-in is built as a Single Page Application (SPA), every API interaction occurs client-side and can be inspected in the browser network tab inside MS Word.

The Sites.Selected permission works as a combination between Delegated and Application permissions, and the following 2 requirements must be met for the user to be able to find Excel files inside the Sharepoint site:

1. The user must have access to the files in that Sharepoint.
2. The add-in must be granted explicit access to the Sharepoint.

To grant the add-in explicit access to a Sharepoint site, read on below.

• Prerequisites:
  • You need Admin access to grant Sharepoint site permissions.
  • You need a method to manage those permissions, e.g. by calling your organization’s MS Graph API. Calling the API can e.g. be done via The Official Microsoft Graph Explorer.

• Follow these steps:
  1. Identify the site you want, e.g: https://company.sharepoint.com/sites/MySite
  2. Find the Sharepoint {SiteID} for the site and note it down:
     1. GET call: https://graph.microsoft.com/v1.0/sites/root:/sites/MySite
     2. Note down the “id” attribute’s value.
  3. Grant the add-in Read permissions to the site:
     1. POST call, with the JSON body below: https://graph.microsoft.com/v1.0/sites/{SiteID}/permissions (replace {SiteID} with the “id” you noted above)
  4. Repeat the above steps for any other Sharepoint Site your users need to access via the add-in.

• Microsoft’s reference for the above MS Graph calls can be found here:
  • https://learn.microsoft.com/en-us/graph/api/site-get
  • https://learn.microsoft.com/en-us/graph/api/site-post-permissions
• If you make any mistakes and want to edit or remove permissions, check the following reference:
  • https://learn.microsoft.com/en-us/graph/api/resources/permission

To migrate from Files.Read.All to Sites.Selected, you need to follow these steps, preferably in order:

1. (required step) Find a (or create a new) Sharepoint Site where you want all Excel2Word Excel files stored. This will be the Sharepoint Site which the add-in can read files from.
   1. You can e.g. create a new Teams team for this.
2. (recommended step) Have your organization’s add-in users move existing Excel files to the selected sharepoint site. They can utilize the add-ins Replace File functionality to re-link files inside their Word documents. This can also be done at a later stage, but then your users will see error messages in the add-in, so make sure they are aware of the changes.
3. (required step) Remove Files.Read.All permissions for the Excel2Word by Wrepit Enterprise Application.
   1. This can normally be done inside the Azure Portal, by finding the Enterprise Application named “Excel2Word by Wrepit”, under the “Permissions” menu item, in the “Admin Consent” tab, by hitting the “…” and “Revoke Permission”.
   2. Sometimes you may have delegated “User Consent” which is found under the “User Consent” tab. If that is the case, you can use the MS Graph API to delete Service Principal Permissions for the Enterprise Application.
4. (required step) Add Sites.Selected permissions by following the steps in Additional setup for the Sites.Selected permission.
5. (recommended step) Notify your organization’s add-in users that the change has happened. On their next sign-in to the add-in they must go to the “Sign-in Settings” on the front page, and enable the “Selected Sites Only” toggle. Otherwise they will not be allowed sign-in to the add-in anymore. This must be done once per device they are using for the add-in.