ARK Microsoft 365 Security Model

1. Overview

ARK integrates with Microsoft 365 using a secure, non-human application identity that is fully controlled by your tenant administrators.

This means:

• ✅ No shared service accounts

• ✅ No stored user passwords

• ✅ No MFA bypass

• ✅ No interactive logins

• ✅ No dependency on user accounts

• ✅ Fully auditable within Microsoft Entra ID

ARK authenticates using a Microsoft Entra ID App Registration and connects through Microsoft Graph API with explicitly approved application permissions.

All access is granted, scoped, and revocable by your IT team.

2. High-Level Architecture

Key Principle:
ARK operates as an approved enterprise application within your Microsoft tenant.
It can only access data your administrators explicitly authorize.

3. Identity & Authentication Model

ARK uses:

• Microsoft Entra App Registration (Application ID)

• Application permissions (not delegated user permissions)

• Certificate-based authentication (recommended) or secure client secret

• Administrator consent for permission approval

• Optional site-level restriction using Sites.Selected

There are no user credentials stored, processed, or required.

Authentication uses OAuth 2.0 client credential flow.

4. Data Access Model

Option A – Broad Read Access

Permission: Sites.Read.All

Allows read-only access to SharePoint sites across the tenant.

Option B – Restricted Site Access (Recommended)

Permission: Sites.Selected

With Sites.Selected, administrators explicitly grant ARK access to specific SharePoint sites only.

Example logical model:

ARK cannot access any SharePoint site that has not been explicitly approved.

This model supports least privilege and zero trust architecture.

Option C – Folder-Only or Library-Only Access (Guidance)

You may want “this workspace can read only this folder in a Teams/SharePoint site.”

Important points:

• Sites.Selected restricts the site boundary, not the folder boundary.

• Folder/library restriction is achieved in one of two enterprise-acceptable ways:

C.1 (Preferred Operationally): Dedicated Document Library per Workspace

Create a library (e.g., ARK-Workspace-001) inside the target site and restrict access to that library using SharePoint permissions/inheritance management. SharePoint supports inheritance and unique permissions at library/folder/file level.

C.2 (More Granular): SelectedOperations “Selected” Scopes

Microsoft Graph supports additional “Selected” scopes that can be managed down to lists and items (including folders/files) such as Lists.SelectedOperations.Selected and ListItems.SelectedOperations.Selected.

These allow tighter resource-level assignment beyond site-level, but require explicit assignment steps.

Practical Recommendation:

• Default to C1 (dedicated library) for simplicity, clarity, and stable operations.

• Use C2 (SelectedOperations) when you require strict folder/list/item granularity and is comfortable with the additional governance steps.

5. Security Controls