/
How are SharePoint Online user permissions applied in Confluence Cloud?

How are SharePoint Online user permissions applied in Confluence Cloud?

As a rule of thumb, only users who have direct access to information in SharePoint Online will also have access to it when the information is embedded in Confluence Cloud.

Technical Details

For authorization within the app, the user directories of SharePoint Online and Confluence Cloud (e.g., Azure AD and Atlassian Accounts) are not used directly. That means user names, user SID, etc., don’t matter. Instead, authorization takes place via so-called access tokens, which are stored in the browser session.

For authentication against SharePoint Online, the SharePoint user directory is used. The (simplified) process of authentication and authorization is described in the following:

  1. When the user logs in to SharePoint Online, a user token is created for this user.

  2. The user token (together with some additional required information) is then used to request an access token from the Microsoft Graph API. Thus, the access token is issued for this specific user. The access token contains dedicated permissions for SharePoint Online.

  3. The access token is then used for every request from the Confluence macro to the Microsoft Graph API (i.e. for SharePoint Online data). That means that the response contains only SharePoint data that the logged-in user is allowed to access.

How the user permissions affect the Confluence Macros

The user must be logged in to SharePoint Online when using the app.

The user is not logged in to SharePoint

If a user is logged in to Confluence but not to SharePoint s/he won’t see any SharePoint content. Instead, the following message will be displayed:

Image 1: User not logged in to SharePoint cannot see any SharePoint content

The user is logged in to Confluence and SharePoint

If a user is logged in to both Confluence and SharePoint, then the SharePoint List macro or SharePoint Document macro in Confluence will only display lists and documents that the logged-in SharePoint user is permitted to see in SharePoint itself.

Especially for a document library where the logged-in SharePoint user has access to only some (but not all) file folders: In this case, the SharePoint List macro will also display only these file folders.

The user is logged in without permission

If a SharePoint List or Document macro is configured to show a list that the logged-in SharePoint user isn’t allowed to see, the following hint will be displayed:

Image 2: Logged-in SharePoint user can only see SharePoint lists or documents s/he is authorized for

Guest access

If your organization's SharePoint is configured to allow External sharing, your registered Guests will be able to see the content of the configured lists or documents. To add or edit a document or a list within the Confluence macros requires at least read permissions to the Site where the list or document is stored, and should be included as part of your overall permissions planning for SharePoint in Microsoft 365.

Related Articles

High-Level Architecture

App Permissions