ARK App Registration & Permission Setup

Step 1 – Create App Registration

Location:
Microsoft Entra Admin Center → Identity → Applications → App registrations → New registration

Configuration:

Name: ARK SharePoint Data Connector
Supported account types: Accounts in this organizational directory only

Record the following values for ARK configuration:

Application (Client) ID
Directory (Tenant) ID

[SCREENSHOT – Entra Admin Center → App Registrations → New Registration Screen]

Step 2 – Configure API Permissions

Location:
App Registration → API permissions → Add a permission

Select:

Microsoft Graph
Application permissions

Add:

Sites.Read.All
or
Sites.Selected (recommended)

If folder/list/item-level granularity is required, add one of the SelectedOperations scopes (per customer requirement/governance), for example:

Lists.SelectedOperations.Selected
ListItems.SelectedOperations.Selected

Click:

Grant admin consent for <Tenant Name>

[SCREENSHOT – API Permissions Screen Showing Microsoft Graph Application Permissions with “Admin Consent Granted” Status]

Step 3 – Configure Authentication Credential

Preferred Method: Certificate-Based Authentication

Location:
App Registration → Certificates & Secrets → Certificates → Upload certificate

Process:

Upload public certificate (.cer)
Private key stored securely per IT policy
Provide certificate thumbprint or secure key exchange to ARK

[PLACE SCREENSHOT HERE – Certificates & Secrets Screen Showing Uploaded Certificate]

Alternative Method: Client Secret

Location:
App Registration → Certificates & Secrets → Client secrets → New client secret

Set defined expiration period
Store securely
Rotate according to internal security policy

[SCREENSHOT – Client Secret Creation Screen Showing Expiry Selection]

Step 4 – Grant Access Scope (Site / Library / Folder)

If using Sites.Selected: explicitly grant the app access to the specific SharePoint site(s).

If using folder/library-only (granular):

Create a dedicated library for the ARK workspace to ingest from (simple / preferred), or a dedicated folder.
Configure SharePoint permissions (unique permissions if needed) so the app can read only the intended library/folder (SharePoint inheritance model).

If using SelectedOperations scopes:

Assign the app permissions to the specific list/item/folder as required (Selected scopes require explicit assignment).

[SCREENSHOT – SharePoint Admin Center (or Permissions Pane) showing restricted access to the dedicated library/folder]

Step 5 – Configure ARK Workspace

Within ARK:

Enter Tenant ID
Enter Application ID
Upload certificate or client secret
Select approved SharePoint site
Enable ingestion and monitoring

Each ARK workspace maintains logical data segregation and RBAC boundaries.

[SCREENSHOT– ARK Workspace Connector Configuration Screen]

7. What ARK Does NOT Do

ARK does not:

❌ Store user passwords
❌ Require service accounts
❌ Require MFA exclusions
❌ Use interactive login flows
❌ Access mailboxes unless explicitly configured
❌ Access SharePoint sites without approval
❌ Modify or delete source files

ARK operates in read-only mode for SharePoint and Teams ingestion.

8. Revocation & Application Offboarding

At any time IT administrators can:

Disable or delete the App Registration
Remove API permissions
Remove site-level access grants
Remove library/folder access grants
Delete certificate or client secret

Revocation is immediate and centrally controlled within Microsoft Entra.

9. Compliance Alignment

This integration model aligns with:

Microsoft Zero Trust Architecture principles
Least Privilege Access
Application-based authentication best practices
Enterprise audit and logging requirements
SOC 2, ISO 27001, and regulated industry review standards

ARK integrates with Microsoft 365 using a secure, tenant-controlled application identity.

All permissions are:

Explicit
Admin-approved
Least-privilege scoped
Auditable
Immediately revocable

No user credentials are required.
No service accounts are used.
No MFA bypass mechanisms are involved.