Proof is built to use Microsoft Entra and OIDC for user authentication, and to host routing attachments on Sharepoint. The use of Sharepoint is most critical, enabling users to edit documents throughout the review cycle, while also keeping these documents private (i.e. visible only to folks with visibility on the routing itself).

There are three steps to connecting a Proof tenant to an existing Sharepoint site collection.

  1. Registering the Application Registration for Proof in your Azure tenant
  2. Provisioning a sharepoint site, and permissioning that site for use by Proof.
  3. Whitelisting a user group for log into Proof via Microsoft Entra, and giving the Proof application visibility into that group.

We expand upon each of the steps below.

Step 1 - registering Proof as an Enterprise Application in your Azure Tenant

Proof follows the usual flow of application registration - your account manager at Proof can generate a URL to be used by an administrator of your Azure tenant to consent to the permissions needed by the application.

An Azure administrator will see the following consent screen

Screenshot 2025-03-26 at 1.39.58 AM (1).png

*Proof is reported as unverified as MPN registration is currently pending

The underlying API scopes requested by the application are the following

  1. MS Graph
    1. offline_access (delegated)
    2. User.Read (delegated)
    3. User.Read.All (delegated)
  2. Sharepoint
    1. Site.Selected (application)

User.Read is necessary for sign-in. User.Read.All is needed to support of user management. Site.Selected is needed to access the Sharepoint rest API and requires additional configuration.

Beyond the organizational consent, the Proof application requires a few other permissioning steps to operate, which are described in the following section.

Currently, this permissioning process is manual as elements can be scripted, but require very high-level permissions (i.e. Sites.FullControl.All and Groups.ReadWrite.All), and not all elements of configuration are possible.

Step 2 - Provisioning and permissioning a Sharepoint site

A Proof tenant can operate with only a dedicated Document Library (i.e. within a pre-existing Sharepoint site). However we recommend creating a separate Sharepoint site primarily as the service account which manages the connection between Proof and Sharepoint is required to have administrator privileges as it requires user and group management for the sharepoint site, as admins in Proof are given visibility over all routings in Sharepoint by means of their inclusion in an administrator user group, and the system account.

Configuring Sites.Selected