Vitextra offers applications and services for on-premise SharePoint Server installations and online environments based on Microsoft 365 and Dynamics365.

Since most applications work with corporate data, it becomes essential to ensure that they do not transfer corporate information to third-party servers for processing.

The purpose of this post is to describe how Vitextra applications work with data stored within your tenant.

Hosting Environments

Vitextra applications support the following environments:

  • SharePoint Online
  • Microsoft Teams

In both cases, the application works the same: JavaScript-based files executed on the client-side (browser or Teams application).

📝 Note
Vitextra applications use the same codebase regardless of the environment in which they work.

Data Sources and Permissions

There are two options to get data within your tenant for Vitextra applications.

The first and simplest one is a SharePoint site. In this case, the application retrieves data from SharePoint with a built-in API using current user credentials. No additional permissions are required for this option.

The second option is Microsoft Graph, which allows data from almost all Microsoft 365 services, such as OneDrive, Teams, SharePoint, Planner, and others. The administrator must approve necessary permissions for the particular application in Microsoft 365 Admin Center.

📝 Note
The application's permissions cannot exceed the permissions of the logged-in user.

SharePoint Framework-based application working within SharePoint Online or Microsoft Teams makes a call to API and other services on behalf of the logged-in user.

Effective application permission is the intersection of the app's and the user's permissions.

Application Effective Permission

Application Effective Permission

📝 Note
If the current user does not have access to the company's resources, then the application will not be able to access this resource.

Data Flow

The next point we need to clarify is the step-by-step flow of requesting resources for both external and home tenants.

Vitextra applications use three external sources for their work: Content Delivery Network, License Verification Service, and Telemetry Data Collection Service.

Content Delivery Network (CDN) is a geographically distributed network of servers that work together to provide fast delivery of application executables and localization data.
License Verification Service (Vitextra API) provides information about license status and updates availability.
Telemetry Data Collection (Application Insights) allows us to track application usage.

On the other hand, the application interacts with corporate resources within the Microsoft 365 tenant. And your corporate data is never transferred outside of your tenant.

All Vitextra apps process and render data on the client side.

The diagram below shows the services that Vitextra applications use.

Data flow diagram

Data flow diagram

(1) Getting the application executables

The application manifest contains information about executable files, localization data, and where they are stored. The application downloads files from the content delivery network (CDN) on initialization.

(2) Getting token from Azure AD

In case of the application utilizes Microsoft Graph API, it requests Azure AD to retrieve the authorization token.

💡 Tip
Some applications, such as Smart Search, use only native SharePoint services and do not utilize Microsoft Graph. You don't need to grant any permission in this case.

(3) Getting license status

Vitextra application sends the following information about the application to the license service to check the license status and available updates:

  • Unique identifier of the tenant
  • Unique identifier of the current user
  • URL-address of the SharePoint site
  • Identifier and Name of the Application
  • Version of the Application

If the license is inactive for any reason, the application will display a banner with a message about the need to purchase the application or assign a license.

Example of data that the application sends to the license verification service:

{
    "TenantId": "a639a97b-71de-44b1-b051-aeded855df34",
    "UserId": "2f8ee5b1-30b7-46a0-ae32-feb557730d34",
    "SiteUrl": "https://vitextra.sharepoint.com",
    "ProductId": "6a2aec78-ea9d-4a31-9b6f-eb80c92f7648",
    "ProductName": "EmployeeDirectoryWebPart",
    "ProductVersion": "4.4.6"
}

(4) Track application usage

When the application loads, it sends data about this event to the Application Insights service.

Collecting this data is to understand which applications our customers use. In addition, this helps us to understand which versions are currently installed in our clients' tenants.

Example of data that the application sends to the telemetry service:

{
    "name": "Microsoft.ApplicationInsights.Event",
    "tags": {
        "ai.user.id": "aiRTjhovyl4JRBiSFS653X",
        "ai.session.id": "IOMhPtyIF38gtqAT455rIc",
        "ai.device.id": "browser",
        "ai.device.type": "Browser",
        "ai.operation.id": "c710b0ac880045b79c991f0c79c39deb",
        "ai.internal.sdkVersion": "javascript:2.7.4"
    },
    "data": {
        "baseType": "EventData",
        "baseData": {
            "ver": 2,
            "name": "Load Web Part",
            "properties": {
                "version": "4.4.6",
                "siteId": "{\"_guid\":\"b102ad55-5aa8-4601-b2a4-5a111441f92d\"}",
                "siteUrl": "https://vitextra.sharepoint.com",
                "userId": "2f8ee5b1-30b7-46a0-ae32-feb557730d34",
                "lcid": "1033",
                "cultureName": "en-US",
                "teams": "false",
                "webPart": "Employee Directory"
            },
            "measurements": {}
        }
    }
}

(5) Interacting with Microsoft Graph API

The application uses the Microsoft Graph API to access services, such as OneDrive, Azure AD, Planner, and others. Data is transferred between the client application and Microsoft Graph API in this case.

📝 Note
SPFx-based applications use the token obtained in step #2 to access Microsoft Graph API.

(6) Interacting with native SharePoint Services

Working with SharePoint services does not require additional permissions. In this case, the interaction with the services takes place on behalf of the currently logged-in user.

📝 Note
Vitextra applications use the current user's token issued by SharePoint Online to get access to native SharePoint services.

Some applications, such as My Tasks or Employee Directory, use both native SharePoint services and Microsoft Graph API to retrieve information.

Summary

As you could see Vitextra applications send the minimum required set of data to check the license status and the availability of updates.

Your data never leaves your tenant.

Any personal data is not tracked or received by Vitextra applications.

SecurityData ProtectionSharePoint FrameworkMicrosoft 365

Share