Ensure secure access with access control list

  • 3 minutes

In this unit, you learn how to ensure that the external content that you import to Microsoft 365 is only accessible for privileged individuals.

Import external content with correct permissions

Information that you store outside of Microsoft 365 is either accessible by everyone in your organization or only by a select group of people. The permissions for accessing external content are stored in the external system.

When importing content using Microsoft Graph connectors, you retrieve content and its permissions from your external system. Using this information, for each piece of content that you import, you build an access control list (ACL) and include it with the item when you import it to Microsoft 365.

Diagram that illustrates how a custom Microsoft Graph connector works.

Configuring permission on the imported content lets you ensure that only individuals specified in the external system can access it. When importing external content using Graph connectors, you have several options to ensure that it's accessible by the same group of people who can access it in the external system.

Anatomy of an access control list

An access control list is an array of access control entries. Each entry consists of three elements:

  1. Access type, which specifies if the entry is for granting or denying access to the piece of content.
  2. Type, which specifies the type of entity described by the entry. It can be:
    1. a Microsoft Entra user,
    2. a Microsoft Entra group,
    3. everyone in your tenant,
    4. everyone except guest users,
    5. an external group (that is, a group defined in your external system)
  3. Value, which identifies the entity described by the entry.

Diagram of a schematic view of an access control list.

Important

Each imported item must include at least one access control entry. You can also include multiple entries to make the item accessible by multiple groups of people.

Let's have a look at some common scenarios of how you'd ensure correct access to your imported content.

Scenario 1: Import content available to everyone in the organization

One of the most common scenarios is importing external content that's available to everyone in the organization. If you're importing such content, you can use the following access control entry on all content items:

  • Access type: grant
  • Type: Everyone
  • Value: Everyone

Scenario 2: Import content available only to specific group of people from an external system with single sign-on with Microsoft 365

If your external system has single sign-on with Microsoft 365, your external content is secured with users and groups from Microsoft Entra ID (previously Azure Active Directory). In such cases, you can define access control entries, of type User (if you're referring to single Entra users) or Group (when you're referring to Entra groups). You configure the value to refer to the object ID of the Microsoft Entra user or group, for example:

  • Access type: grant
  • Type: Group
  • Value: 12345678-1234-1234-1234-123456789012

Scenario 3: Import content available only to specific group of people from an external system without single sign-on with Microsoft 365

If you're importing content from a system that secures content using its own users and groups, you can still properly secure the imported content and make it available only to the correct individuals. In such case, you define external groups, which you use to secure the imported content. These groups reflect memberships defined in the external system but refer to Microsoft Entra users and groups or other external groups.

Keep your external permissions and access control lists synchronized

The external system from which you import content to Microsoft 365 contains the primary reference of permissions and who has access to what content. When building Microsoft Graph connectors, you must synchronize these permissions to your content imported to Microsoft 365 to ensure its security.

If your external system raises an event when permissions change, you can immediately update them on the external content imported to Microsoft 365. If the external system doesn't support events, then you build a frequently running process that scans for changed permissions and updates them accordingly. You should include the ability to refresh permissions on demand, which allows you to instantaneously refresh permissions if such a need arises.