How Xoralia accesses your data

How Xoralia accesses your data

Xoralia uses a Microsoft verified Entra ID Enterprise Application to communicate with your Microsoft 365 tenant. Our Enterprise Application uses a mix of delegated and application permissions, which we describe below.

During installation, you will be presented with a permission request like below. This details each of the permissions that Xoralia requires to carry out it’s operations. These permissions are not individually configurable and are required to be accepted by a Microsoft 365 Global Administrator (or Entra Administrator) for Xoralia to work correctly.

Delegated permissions are a type of permission that requires a signed in user to be accessing the application and the operation will be performed on behalf of that user. For example, a delegated operation might be to view a list of files from a SharePoint site – Xoralia will perform this as a delegated query and will query that information as the logged in user, meaning it will only display information to the user that they have access to from that SharePoint site.

Application permissions are a type of permission that does not require a signed in user and will allow the Xoralia application to perform operational and service level tasks without user interaction. An example of this is a library synchronisation that Xoralia performs every 10 minutes to check for updates in SharePoint document libraries.

Xoralia requests the following Microsoft Graph permissions:

Send a teamwork activity as the user
Type: delegated
Reason: Used by our Microsoft Teams app to send notifications to users
Sign in and read user profile
Type: delegated
Reason: Allows the user to sign in to Xoralia and access information within Xoralia
Have full control of all site collections
Type: delegated
Reason: Allows Xoralia administrators to associate libraries to Xoralia to which they have access. Also allows users to read documents within Xoralia to which they have access.
Send a teamwork activity to any user
Type: application
Reason: Used by our Microsoft Teams app to send notifications to users
Read all users’ full profiles
Type: application
Reason: Xoralia allows document owners to target documents to users. This permission allows Xoralia to view users inside of your Microsoft 365 tenant to know which users are to be targeted.
Send mail as any user
Type: application
Reason: As a Xoralia adminstrator, you can set which email address should send notifications (such as must read and expiry notifications). This permission allows Xoralia to do that.
Read all groups
Type: application
Reason: Xoralia allows document owners to target documents to groups. This permission allows Xoralia to view groups inside of your Microsoft 365 tenant to know which users are to be targeted.
Read all group memberships
Type: application
Reason: Xoralia allows document owners to target documents to groups. This permission allows Xoralia to view groups inside of your Microsoft 365 tenant to know which users are to be targeted.
Create, edit, and delete items and lists in all site collections
Type: application
Reason: Xoralia can create libraries and add meta data columns to associated libraries when an Xoralia administrator triggers that action. This permission allows that control – Xoralia will only ever create libraries when a Xoralia administrator requests so and will never use this permission for any other action. This permission is also used by the Xoralia sync process to update library and document information.
Read installed Teams apps for all users
Type: application
Reason: Allows Xoralia to find the Teams app inside of your tenant to send targeted notifications to users (such as Must Read notifications)
You can limit who can access Xoralia by going to Enterprise Applications within Microsoft Entra ID and opening the Xoralia Policy Management app. Once you have this open, select properties and enable the ‘Assignment required?’ option. Save this property and open the ‘Users and Groups’. With this setting enabled, only users and groups listed here will be able to access Xoralia. Add your users and groups here using the ‘Add user/group’ option.

Xoralia installation using selected SharePoint sites permission

With the addition of Microsoft Graph’s Sites.Selected permission, Xoralia now has a dedicated Azure Entra Enterprise Application that removes the need for the above ‘Create, edit and delete items and lists in all site collections’ application permission, and replaces it with SharePoint Sites Sites.Selected permission:

Therefore, the new Xoralia Sites.Selected Enterprise App permissions are as follows:

Send a teamwork activity as the user
Type: delegated
Reason: Used by our Microsoft Teams app to send notifications to users
Sign in and read user profile
Type: delegated
Reason: Allows the user to sign in to Xoralia and access information within Xoralia
Have full control of all site collections
Type: delegated
Reason: Allows Xoralia administrators to associate libraries to Xoralia to which they have access. Also allows users to read documents within Xoralia to which they have access.
Send a teamwork activity to any user
Type: application
Reason: Used by our Microsoft Teams app to send notifications to users
Read all users’ full profiles
Type: application
Reason: Xoralia allows document owners to target documents to users. This permission allows Xoralia to view users inside of your Microsoft 365 tenant to know which users are to be targeted.
Send mail as any user
Type: application
Reason: As a Xoralia adminstrator, you can set which email address should send notifications (such as must read and expiry notifications). This permission allows Xoralia to do that.
Read all groups
Type: application
Reason: Xoralia allows document owners to target documents to groups. This permission allows Xoralia to view groups inside of your Microsoft 365 tenant to know which users are to be targeted.
Read all group memberships
Type: application
Reason: Xoralia allows document owners to target documents to groups. This permission allows Xoralia to view groups inside of your Microsoft 365 tenant to know which users are to be targeted.
Create, edit, and delete items and lists in selected site collections
Type: application
Reason: During installation, we will execute a PowerShell script which will allow Xoralia to communicate with your selected SharePoint site collections. Once this has been run, Xoralia can create libraries and add meta data columns to associated libraries when an Xoralia administrator triggers that action. This permission allows that control – Xoralia will only ever create libraries when a Xoralia administrator requests so and will never use this permission for any other action. This permission is also used by the Xoralia sync process to update library and document information. 
Read installed Teams apps for all users
Type: application
Reason: Allows Xoralia to find the Teams app inside of your tenant to send targeted notifications to users (such as Must Read notifications)

Invite Guest User to Active Directory

Adding external users as a guest

These instructions guide you through the process of inviting external guests to your Azure Active Directory. By following these steps, you can seamlessly add collaborators who aren't part of your organization, making collaboration in the Azure environment a breeze.

Invite Guest User to Active Directory

1. Login to Azure Portal via https://portal.azure.com/.

2. Expand the left menu by clicking the top left button.

3. Click “Microsoft Entra ID”.

4. Click “Users”.

5. Click “+ New user” -> “Invite external user”.

6. Type in the email address of the external guest to be invited in the “Email” textbox. Fill in “Display name” of the external guest.

7. Fill in information under “Properties” tab.

8. Add AD groups which this guest user should be in.

9. Click “Review + invite”.

10. Verify the information is correct and then click “Invite”.

Download user guide: Adding external users as a guest

Caching and performance

Caching and performance

Xoralia has been built to be efficient and under most circumstances will load libraries and reports fast. It has been tested in scenarios with libraries containing over a thousand documents.

In order to achieve fast speeds and performance at all times we have had to put in place some caching functions. This is because querying SharePoint at page load time can be slow, especially with large libraries containing many documents. Whilst standard users are not likely to be affected by this, document owners might notice irregularities caused by caching.

It’s useful to know how caching works so that you do not get any unexpected results when using Xoralia: the system queries SharePoint document libraries at 10 minute intervals and caches the results. When a user loads a library Xoralia is returning the contents of the cache. This means the list of documents is at most 10 minutes old. Any documents uploaded into a document library within this 10 minute window might not show up until the cache is refreshed by the system. Document owners who upload a document into SharePoint and then want to start working on them immediately in Xoralia should wait up to 10 minutes before the documents will appear and actions such as assigning documents can be carried out.

Please note, caching does not affect ‘Documents I must read’. This list is always up to date and loads instantly.

Download user guide: Caching and performance

Application security, load testing and threat protection

Application security, load testing and threat protection

Introduction

This article will cover all application security, data encryption and threat protection elements of Xoralia. Any further information required can be requested from [email protected].

Application Security

The Xoralia application infrastructure has been built with security at the forefront. All Azure services that are utilised are protected by both Azure Application Gateway Web Application Firewalls and Azure Virtual Networks. This ensures that only valid, secure traffic is passed on to Xoralia web apps and APIs.

Within the application itself, we have utilised the following technologies / techniques:

  • Azure SQL Auditing
  • Microsoft Defender for Cloud
  • Azure Transparent Data Encryption
  • Azure Key Vault

All staff working across the Xoralia platform are running Windows 10 or later compliant devices and using company-managed antivirus, malware and firewall systems. Content Formula staff are background checked prior to joining the team.

Data encrypted at rest and in transit

All data stored on Xoralia servers is encrypted at rest using Azure Transparent Data Encryption. All data in transit is sent over HTTPS connections only. HTTPS is enforced on all web apps and APIs.

Under load testing and scalability

Xoralia has been tested under high loads (>5000 active users) and has passed all tests as expected.

The Xoralia application architecture allows us to proactively monitor and instantaneously scale the application on demand should it be needed. In the event of high load on 1 service, the application monitoring will automatically scale that service until normal operations are realised.

Backup, retention and location of Xoralia data

Backup, retention and location of Xoralia data

Introduction

In this article, we will describe how Xoralia handles backups, what data is backed up and retained on Xoralia systems and where that data is stored. Any further information required can be requested from [email protected].

What data is stored on Xoralia

Xoralia uses the following information:

  • Active Directory usernames (UPN)
  • Active Directory first and last names of users
  • Active Directory group names (of groups that are used in Xoralia only)
  • Document filenames and IDs
  • Document meta data that has been set inside of Xoralia (tags, review dates, assignments)
  • SharePoint site names, URLs and IDs
  • SharePoint document library names, URLs and IDs
  • Document reporting information (who has read, who has been assigned, when a document was read, which version was read)
  • System auditing information (system logins, who assigned a document, who updated metadata)

At no point does Xoralia consume or store the contents of any documents stored on SharePoint or any other platform. Xoralia only stores the names of people who are assigned documents or those who have some sort of privileged access such as document owners, Xoralia admins etc.

Back up policies

Xoralia backs up all data listed above every 24 hours in differential backups with point in time backups occurring every 7 days. All backups are stored for 7 days. Recovery of information usually takes less than 3 hours if required. Xoralia does not copy or back up your actual documents at any point since these are stored in your SharePoint instance. If any recovery needs to be made within SharePoint, Microsoft’s standard SharePoint back up policy backs up data every 12 hours and typical recovery times are less than 12 hours. If in doubt please check with Microsoft.

Retention of data

Once a customer has ended their association with Xoralia, all data relating to that installation will be removed from Xoralia systems within 90 days.

Location of data

During installation of Xoralia, you can choose which location your data will be stored in at rest. Currently Xoralia supports two Azure regions: UK South and Central US. Customers can select their favoured data residency location during installation.

How to configure SharePoint permissions with Xoralia

How to configure SharePoint permissions with Xoralia

Introduction

When associating a SharePoint library with Xoralia, Xoralia will respect any permissions that have been set in SharePoint: if a user does not have access to a document, Xoralia will never show that document to the user. Similarly, if you would like to make a document assignment to a user in Xoralia, they must already have access to the SharePoint site before they will be able to view the document. Be sure to check out our article about the Xoralia permissions model in conjunction with this article.

Which SharePoint permissions are required?

For a user to be able to see a document in Xoralia, they must have at least Read access to the SharePoint document library.

Assigning permissions is quite straightforward in SharePoint, however they can get more complex the more rules that you enforce across your different libraries. SharePoint typically works on an inheritance model – if you have access to the top level site, you have access to everything therein. However, you can break this inheritance for certain libraries or files. We would normally recommend that you do not break inheritance and that you apply permissions at a site level as management of this can become somewhat cumbersome, although we do recognise that on occasion you may want to break this inheritance and give one library different permissions to another – Xoralia will respect any individual permissions you set up like this.

To assign permissions to an entire SharePoint site, simply navigate to the site homepage, click the SharePoint cog in the top right corner and then click on Site Permissions. Then clicking on Advanced Site Permissions will display a page that will typically show 3 groups (more may appear here depending upon the changes you’ve already made to site permissions previously): Owners, Members and Visitors

Visitors: anyone you would like to be able to consume your documents in Xoralia should be a Visitor – Visitors have Read access over your SharePoint site and therefore your SharePoint document libraries associated with Xoralia.

Members: usually people who have edit permissions across your site and libraries – anyone you add here will be able to add, edit and delete documents from your SharePoint site and libraries. Anyone in this group will have Read permission as well.

Owners: the users listed here have all of the permissions above but can also manage permissions and perform more site-wide operations. Should be limited to very few users typically.

To add a user, simply click the group you wish to add a user (or Active Directory group) to, and select New. Type your user(s) name in the box that pops up and choose under Show Options if you wish to notify them that you have granted permission. Once you have added the user here, within a few minutes they will have access to your Xoralia libraries that have been associated with this site.

How can I manage multiple users with SharePoint permissions?

SharePoint permissions supports Microsoft Groups and Active Directory security groups by default. We’d recommend that you create groups when assigning permissions in SharePoint. These groups can also be used when making assignments to documents in Xoralia.

The Xoralia permissions model

The Xoralia permissions model

In order to carry out certain tasks in Xoralia a user needs to have the correct permissions. Some of these permissions are set inside Xoralia and others are set inside SharePoint. Please refer to our article ‘How to configure SharePoint permissions with Xoralia‘.

The Xoralia permissions model:

Roles and permissions

Office 365 tenant admin

Where is the permission set?

Required to carry out the one-time installation of Xoralia inside your Office 365 tenant. Office 365 tenant admin centre

Xoralia admin

Associates Xoralia with relevant document libraries inside SharePoint Xoralia admin panel
Manages various Xoralia settings such as branding Xoralia admin panel
Grants reporting-only access (see ‘Reporting’ below) Xoralia admin panel

Document library owner

Has full access to all documents inside a library (see ‘Document owner’ below) SharePoint permissions

Document owner

Has access to edit documents inside a library SharePoint permissions
Has ability to set document expiry dates Document owner column in the document library
Has ability to assign documents as mandatory reads Document owner column in the document library
Has ability to add other document owners Document owner column in the document library
Has access to reporting access Document owner column in the document library

Reporting

Required to access reporting only for a specified document library Xoralia admin panel

Document reader

Can read a document SharePoint permissions
Can attest a mandatory document has been read When doc owner assigns a document as mandatory read

Download user guide: The Xoralia permissions model

We use cookies to give you the best experience on our site. By continuing to use our website, you are agreeing to our use of cookies. To find more about the cookies, please see our cookie notice. You can also read about our privacy policy.

Contact Support

If you have a question about Xoralia software, please fill out the form below and a member of our support team will be in contact with you shortly.