Microsoft Permissions
Rockhopper integrates with Microsoft 365 via Microsoft Entra ID (Azure AD) and the Microsoft Graph API. This page documents the exact permissions requested and explains why each is needed.
Permissions requested
Files.Read.All
Delegated
Read files the user can access — used to detect changes to enrolled spreadsheets and download version snapshots
Files.ReadWrite.All
Delegated
Read and write files the user can access — used to update files when reverting to a previous version or creating a copy
User.Read
Delegated
Read the signed-in user's profile — used to identify the user and display their name and email in Rockhopper
User.ReadBasic.All
Delegated
Read basic profile info for all users in the organization — used to show team member names and enable @mentions in comments
All permissions are delegated, meaning they operate within the context of the signed-in user. Rockhopper can only access files and profiles that the user themselves already has access to in Microsoft 365.
What Rockhopper does NOT access
Email and calendar
No access to mailboxes, calendars, or contacts
Teams and chat
No access to Microsoft Teams messages, channels, or meetings
SharePoint lists and sites
No access beyond OneDrive/SharePoint file storage
Admin functions
No admin-level permissions — Rockhopper cannot modify tenant settings, user accounts, or security policies
How permissions are granted
During initial onboarding, a Microsoft 365 administrator grants consent for these permissions on behalf of the organization. This is a one-time process — see the Microsoft 365 Onboarding guide for step-by-step instructions.
Individual users do not need to grant additional permissions. Once admin consent is provided, all users in the tenant can sign into Rockhopper and begin using the platform.
Last updated