Security & Data Privacy Overview
SP Toolkit runs entirely in your browser, within your Microsoft 365 boundary. Your data never leaves your tenant.
Delegated Only
No Application Permissions — ever
In-Tenant
Data stays in your M365 boundary
Full Audit Trail
Every action logged under user identity
Zero Infrastructure
No agents, services, or VMs
For IT Security Teams
This document covers SP Toolkit's architecture, data flow, permission model, and compliance posture. It is designed for IT Security Managers, SharePoint Administrators, and compliance teams evaluating the tool for deployment.
1. Architecture: In-Tenant & Browser-Based
SP Toolkit is an SPFx (SharePoint Framework) web part — not an external SaaS agent, not a desktop installer, and not a service principal with tenant-wide access.
The migration engine runs entirely inside your browser, within your Microsoft 365 boundary. When you migrate a list, the data flows directly from SharePoint → browser → SharePoint. There is no intermediary server, no staging area, and no external data store.
| Component | Where it runs |
|---|---|
| Migration engine | User's browser (JavaScript) |
| Data reads | SharePoint REST API / Microsoft Graph API |
| Data writes | SharePoint REST API (PnPjs) |
| Authentication | SPFx context (target) / MSAL popup (source) |
| Licence validation | Azure-hosted API (tenant ID + aggregate usage counts) |
SP Toolkit is deployed from the SharePoint App Catalog — the same mechanism Microsoft uses for all first-party and third-party SPFx solutions. Your SharePoint admin retains full control over deployment scope and can limit it to specific site collections.
2. Data Residency & Sovereignty
Zero Data Transit
No file content, list item data, metadata, attachments, or user information ever leaves your Microsoft 365 tenant during migration.
- Source reads go directly to SharePoint/Graph endpoints within your Microsoft 365 boundary
- Target writes go directly to SharePoint REST endpoints within your Microsoft 365 boundary
- Cross-tenant migrations flow from source tenant → browser → target tenant. The browser is the only intermediary, running on the user's own device
Australian Compliance
- No data is routed through third-party servers or offshore infrastructure
- Data residency is determined entirely by your existing Microsoft 365 tenant configuration
- SP Toolkit introduces zero additional data sovereignty risk
- Compliant with the Australian Privacy Act 1988 (APP 8 — cross-border disclosure) because no personal information or SharePoint content crosses borders. Licence validation calls to Azure transmit only a tenant ID and aggregate numeric counts.
3. Permission Model: Delegated (User Impersonation)
SP Toolkit uses the Delegated Permissions model exclusively. It never uses Application Permissions.
The tool acts on behalf of the signed-in user. It cannot access any site, list, document, or item that the user themselves does not already have permission to access.
| Risk factor | SP Toolkit | Typical migration tools |
|---|---|---|
| Global Admin required? | No | Often yes |
| App-Only permissions? | No | Often yes (tenant-wide) |
| Service account required? | No | Often yes |
| Can access sites the user can't? | No — impossible by design | Often yes (app-only) |
No API Permission Approval Required
SP Toolkit requires zero API permission approvals in SharePoint Admin Centre. The licence validation service is called over standard HTTPS — no Azure AD consent step is needed.
For cross-tenant migrations, Graph permissions (e.g., Sites.Read.All) are obtained at runtime via interactive MSAL login — the user explicitly authenticates in a popup and consents to the scopes.
4. Auditing & Logging
Because every action is performed under the signed-in user's identity, all operations are recorded in the Microsoft 365 Unified Audit Log under that user's name:
- File uploads → logged as the user
- List item creation → logged as the user
- Folder creation → logged as the user
- Permission changes → not performed (SP Toolkit does not modify permissions)
There are no service accounts, no background processes, and no daemon applications. When the browser tab closes, the tool stops.
5. Licence Validation — Full Transparency
SP Toolkit validates your subscription status by calling an Azure-hosted API. This is a standard SaaS licence heartbeat — it confirms your tenant has an active licence and tracks aggregate usage against plan limits.
What is sent
| Data sent | Example | Purpose |
|---|---|---|
| Tenant ID | a1b2c3d4-... (GUID) | Identify which licence to check |
| Admin email | admin@contoso.com | Trial signup / checkout only |
| Aggregate metrics | items: 1200, lists: 3 | Usage tracking against plan limits |
| Client version | 1.4.0 | Compatibility checks |
What is NOT sent — ever
- ❌ List names, item content, or metadata
- ❌ Document content or file names
- ❌ User names, email addresses, or directory data (except admin email during signup)
- ❌ Site URLs or tenant domain names
- ❌ Passwords, tokens, or credentials
- ❌ Field values, column definitions, or schema details
Response Integrity
Licence responses include a digitally signed ticket verified client-side using an RSA public key embedded in the SPFx manifest. This prevents tampering with licence status in transit.
6. Cross-Tenant Migration — Additional Security Context
For migrations between two separate Microsoft 365 tenants:
- Source tenant app registration — The customer creates an Azure AD app registration in the source tenant with specific Graph API delegated permissions
- Interactive user login — The user authenticates via an MSAL popup. SP Toolkit never sees or stores the password
- Delegated access only — The app uses delegated permissions requiring the signed-in user to have corresponding access
- Session-scoped tokens — Access tokens are stored in
sessionStorage(cleared when the tab closes) with automatic refresh
Graph API Scopes (Cross-Tenant Source Reads)
| Scope | Purpose |
|---|---|
| Sites.Read.All | Read site and list structure |
| Sites.ReadWrite.All | Read list items and fields |
| User.Read.All | Resolve user/person fields |
| TermStore.ReadWrite.All | Managed metadata term pre-registration |
| Directory.Read.All | Extended user property resolution |
| Group.Read.All | Group-based permission resolution (optional) |
These scopes are requested at runtime via interactive consent — they are not pre-granted at deployment time.
7. Network Footprint
Every external network destination the SP Toolkit web part contacts:
| Destination | Purpose | Data exposed |
|---|---|---|
| *.sharepoint.com | SharePoint REST operations | Standard SP API calls |
| graph.microsoft.com | Graph API (cross-tenant) | Standard Graph API calls |
| login.microsoftonline.com | Authentication | Standard OAuth flows |
| SP Toolkit API (Azure) | Licence validation | Tenant ID + usage counts |
The first three are standard Microsoft 365 endpoints. The fourth is our licence check. Optional user-configured endpoints (AI providers, webhooks) are not active by default.
8. What SP Toolkit Does NOT Do
- ❌ Install agents, services, or background processes
- ❌ Require Global Admin or tenant-wide Application Permissions
- ❌ Store SharePoint content outside your Microsoft 365 tenant
- ❌ Create or modify SharePoint permissions or sharing settings
- ❌ Access Exchange, Teams chat, OneDrive personal, or any non-SharePoint workload
- ❌ Run when the browser tab is closed
- ❌ Require opening firewall ports or VPN tunnels
- ❌ Store credentials — authentication is handled entirely by Microsoft's identity platform
9. Deployment & Scoping
| Control | Detail |
|---|---|
| App Catalog deployment | Admin uploads .sppkg to tenant or site-collection App Catalog |
| Tenant-wide vs site-scoped | Admin chooses deployment scope |
| API permission approval | None required — no admin consent step |
| Removal | Delete from App Catalog — immediate, complete, no residual components |
10. Summary
| Concern | SP Toolkit answer |
|---|---|
| Where does my data go? | Nowhere outside M365 — browser-to-SharePoint only |
| What permissions does it need? | No API permissions to approve. Licence checks use standard HTTPS. |
| Can it access more than I can? | No — delegated model, limited to user's own permissions |
| Is there a service account? | No — user identity only, logged in the standard audit trail |
| What does the licence check send? | Tenant ID, aggregate usage counts, operation type, duration metrics, and client version. No SharePoint content or list names. |
| Can my admin control deployment? | Yes — App Catalog scoping, site-collection or tenant-wide |
| What happens if I remove it? | Delete from App Catalog. No residual services, no cleanup. |
Ready to Deploy?
Download SP Toolkit and share our Admin Approval Guide with your IT team to get started.