Book a demo
Support

Category: Security and resilience

How Xoralia accesses your data

Posted on by Kelly Chan

Template files in Xoralia

What are workflows and how you can use them to update your document directly in Xoralia

Request Re-read and Not Read

How to assign yourself or others as Document Owners

Read report

Reporting suite

Xoralia user dashboard

When to use Xoralia and when to use SharePoint

How Xoralia accesses your data

Invite Guest User to Active Directory

Caching and performance

Application security, load testing and threat protection

Backup, retention and location of Xoralia data

How to configure SharePoint permissions with Xoralia

The Xoralia permissions model

How to block downloading and printing from Xoralia

AD groups and how we use them in Xoralia

Reporting

Attesting to a document

Notifications

Bulk assignments

Assigning documents to users to read

Documents uploads and document templates

Changing core metadata

Setting up a grouping of documents in Xoralia as a “Collection”

How to manage document reviews and version control

Xoralia Power Automate Flow Functionality

Understanding tags

Understanding document version numbers

Installing the Xoralia Teams app

Xoralia SPFX Installation Guide

Xoralia web parts & Viva adaptive card extensions

Can’t see the Viva web parts in your page web part catalogue?

Home

/

Support

/

User guides

/

Security and resilience

Security and resilience

Xoralia uses a Microsoft verified Entra ID Enterprise Application to communicate with your Microsoft 365 tenant. Our Enterprise Application uses a mix of delegated and application permissions, which we describe below.

During installation, you will be presented with a permission request like below. This details each of the permissions that Xoralia requires to carry out it’s operations. These permissions are not individually configurable and are required to be accepted by a Microsoft 365 Global Administrator (or Entra Administrator) for Xoralia to work correctly.

Delegated permissions are a type of permission that requires a signed in user to be accessing the application and the operation will be performed on behalf of that user. For example, a delegated operation might be to view a list of files from a SharePoint site – Xoralia will perform this as a delegated query and will query that information as the logged in user, meaning it will only display information to the user that they have access to from that SharePoint site.

Application permissions are a type of permission that does not require a signed in user and will allow the Xoralia application to perform operational and service level tasks without user interaction. An example of this is a library synchronisation that Xoralia performs every 10 minutes to check for updates in SharePoint document libraries.

Xoralia requests the following Microsoft Graph permissions:

Send a teamwork activity as the user
Type: delegated
Reason: Used by our Microsoft Teams app to send notifications to users
Sign in and read user profile
Type: delegated
Reason: Allows the user to sign in to Xoralia and access information within Xoralia
Have full control of all site collections
Type: delegated
Reason: Allows Xoralia administrators to associate libraries to Xoralia to which they have access. Also allows users to read documents within Xoralia to which they have access.
Send a teamwork activity to any user
Type: application
Reason: Used by our Microsoft Teams app to send notifications to users
Read all users’ full profiles
Type: application
Reason: Xoralia allows document owners to target documents to users. This permission allows Xoralia to view users inside of your Microsoft 365 tenant to know which users are to be targeted.
Send mail as any user
Type: application
Reason: As a Xoralia adminstrator, you can set which email address should send notifications (such as must read and expiry notifications). This permission allows Xoralia to do that.
Read all groups
Type: application
Reason: Xoralia allows document owners to target documents to groups. This permission allows Xoralia to view groups inside of your Microsoft 365 tenant to know which users are to be targeted.
Read all group memberships
Type: application
Reason: Xoralia allows document owners to target documents to groups. This permission allows Xoralia to view groups inside of your Microsoft 365 tenant to know which users are to be targeted.
Create, edit, and delete items and lists in all site collections
Type: application
Reason: Xoralia can create libraries and add meta data columns to associated libraries when an Xoralia administrator triggers that action. This permission allows that control – Xoralia will only ever create libraries when a Xoralia administrator requests so and will never use this permission for any other action. This permission is also used by the Xoralia sync process to update library and document information.
Read installed Teams apps for all users
Type: application
Reason: Allows Xoralia to find the Teams app inside of your tenant to send targeted notifications to users (such as Must Read notifications)
You can limit who can access Xoralia by going to Enterprise Applications within Microsoft Entra ID and opening the Xoralia Policy Management app. Once you have this open, select properties and enable the ‘Assignment required?’ option. Save this property and open the ‘Users and Groups’. With this setting enabled, only users and groups listed here will be able to access Xoralia. Add your users and groups here using the ‘Add user/group’ option.

Xoralia installation using selected SharePoint sites permission

With the addition of Microsoft Graph’s Sites.Selected permission, Xoralia now has a dedicated Azure Entra Enterprise Application that removes the need for the above ‘Create, edit and delete items and lists in all site collections’ application permission, and replaces it with SharePoint Sites Sites.Selected permission:

Therefore, the new Xoralia Sites.Selected Enterprise App permissions are as follows:

Send a teamwork activity as the user
Type: delegated
Reason: Used by our Microsoft Teams app to send notifications to users
Sign in and read user profile
Type: delegated
Reason: Allows the user to sign in to Xoralia and access information within Xoralia
Have full control of all site collections
Type: delegated
Reason: Allows Xoralia administrators to associate libraries to Xoralia to which they have access. Also allows users to read documents within Xoralia to which they have access.
Send a teamwork activity to any user
Type: application
Reason: Used by our Microsoft Teams app to send notifications to users
Read all users’ full profiles
Type: application
Reason: Xoralia allows document owners to target documents to users. This permission allows Xoralia to view users inside of your Microsoft 365 tenant to know which users are to be targeted.
Send mail as any user
Type: application
Reason: As a Xoralia adminstrator, you can set which email address should send notifications (such as must read and expiry notifications). This permission allows Xoralia to do that.
Read all groups
Type: application
Reason: Xoralia allows document owners to target documents to groups. This permission allows Xoralia to view groups inside of your Microsoft 365 tenant to know which users are to be targeted.
Read all group memberships
Type: application
Reason: Xoralia allows document owners to target documents to groups. This permission allows Xoralia to view groups inside of your Microsoft 365 tenant to know which users are to be targeted.
Create, edit, and delete items and lists in selected site collections
Type: application
Reason: During installation, we will execute a PowerShell script which will allow Xoralia to communicate with your selected SharePoint site collections. Once this has been run, Xoralia can create libraries and add meta data columns to associated libraries when an Xoralia administrator triggers that action. This permission allows that control – Xoralia will only ever create libraries when a Xoralia administrator requests so and will never use this permission for any other action. This permission is also used by the Xoralia sync process to update library and document information. 
Read installed Teams apps for all users
Type: application
Reason: Allows Xoralia to find the Teams app inside of your tenant to send targeted notifications to users (such as Must Read notifications)
More about Xoralia information security
  • Last updated: 30 April 2025

Download user guide:

How Xoralia accesses your data

Invite Guest User to Active Directory

Posted on by Kelly Chan

Template files in Xoralia

What are workflows and how you can use them to update your document directly in Xoralia

Request Re-read and Not Read

How to assign yourself or others as Document Owners

Read report

Reporting suite

Xoralia user dashboard

When to use Xoralia and when to use SharePoint

How Xoralia accesses your data

Invite Guest User to Active Directory

Caching and performance

Application security, load testing and threat protection

Backup, retention and location of Xoralia data

How to configure SharePoint permissions with Xoralia

The Xoralia permissions model

How to block downloading and printing from Xoralia

AD groups and how we use them in Xoralia

Reporting

Attesting to a document

Notifications

Bulk assignments

Assigning documents to users to read

Documents uploads and document templates

Changing core metadata

Setting up a grouping of documents in Xoralia as a “Collection”

How to manage document reviews and version control

Xoralia Power Automate Flow Functionality

Understanding tags

Understanding document version numbers

Installing the Xoralia Teams app

Xoralia SPFX Installation Guide

Xoralia web parts & Viva adaptive card extensions

Can’t see the Viva web parts in your page web part catalogue?

Home

/

Support

/

User guides

/

Security and resilience

Security and resilience

These instructions guide you through the process of inviting external guests to your Azure Active Directory. By following these steps, you can seamlessly add collaborators who aren’t part of your organization, making collaboration in the Azure environment a breeze.

Invite Guest User to Active Directory

1. Login to Azure Portal via https://portal.azure.com/.

2. Expand the left menu by clicking the top left button.

3. Click “Microsoft Entra ID”.

4. Click “Users”.

5. Click “+ New user” -> “Invite external user”.

6. Type in the email address of the external guest to be invited in the “Email” textbox. Fill in “Display name” of the external guest.

7. Fill in information under “Properties” tab.

8. Add AD groups which this guest user should be in.

9. Click “Review + invite”.

10. Verify the information is correct and then click “Invite”.

More about Xoralia information security
  • Last updated: 30 April 2025

Download user guide:

Invite Guest User to Active Directory

Caching and performance

Posted on by Hannah Barltrop

Template files in Xoralia

What are workflows and how you can use them to update your document directly in Xoralia

Request Re-read and Not Read

How to assign yourself or others as Document Owners

Read report

Reporting suite

Xoralia user dashboard

When to use Xoralia and when to use SharePoint

How Xoralia accesses your data

Invite Guest User to Active Directory

Caching and performance

Application security, load testing and threat protection

Backup, retention and location of Xoralia data

How to configure SharePoint permissions with Xoralia

The Xoralia permissions model

How to block downloading and printing from Xoralia

AD groups and how we use them in Xoralia

Reporting

Attesting to a document

Notifications

Bulk assignments

Assigning documents to users to read

Documents uploads and document templates

Changing core metadata

Setting up a grouping of documents in Xoralia as a “Collection”

How to manage document reviews and version control

Xoralia Power Automate Flow Functionality

Understanding tags

Understanding document version numbers

Installing the Xoralia Teams app

Xoralia SPFX Installation Guide

Xoralia web parts & Viva adaptive card extensions

Can’t see the Viva web parts in your page web part catalogue?

Home

/

Support

/

User guides

/

Security and resilience

Security and resilience

Xoralia has been built to be efficient and under most circumstances will load libraries and reports fast. It has been tested in scenarios with libraries containing over a thousand documents.

In order to achieve fast speeds and performance at all times we have had to put in place some caching functions. This is because querying SharePoint at page load time can be slow, especially with large libraries containing many documents. Whilst standard users are not likely to be affected by this, document owners might notice irregularities caused by caching.

It’s useful to know how caching works so that you do not get any unexpected results when using Xoralia: the system queries SharePoint document libraries at 10 minute intervals and caches the results. When a user loads a library Xoralia is returning the contents of the cache. This means the list of documents is at most 10 minutes old. Any documents uploaded into a document library within this 10 minute window might not show up until the cache is refreshed by the system. Document owners who upload a document into SharePoint and then want to start working on them immediately in Xoralia should wait up to 10 minutes before the documents will appear and actions such as assigning documents can be carried out.

Please note, caching does not affect ‘Documents I must read’. This list is always up to date and loads instantly.

More about Xoralia information security
  • Last updated: 30 April 2025

Download user guide:

Caching and performance

Application security, load testing and threat protection

Posted on by Hannah Barltrop

Template files in Xoralia

What are workflows and how you can use them to update your document directly in Xoralia

Request Re-read and Not Read

How to assign yourself or others as Document Owners

Read report

Reporting suite

Xoralia user dashboard

When to use Xoralia and when to use SharePoint

How Xoralia accesses your data

Invite Guest User to Active Directory

Caching and performance

Application security, load testing and threat protection

Backup, retention and location of Xoralia data

How to configure SharePoint permissions with Xoralia

The Xoralia permissions model

How to block downloading and printing from Xoralia

AD groups and how we use them in Xoralia

Reporting

Attesting to a document

Notifications

Bulk assignments

Assigning documents to users to read

Documents uploads and document templates

Changing core metadata

Setting up a grouping of documents in Xoralia as a “Collection”

How to manage document reviews and version control

Xoralia Power Automate Flow Functionality

Understanding tags

Understanding document version numbers

Installing the Xoralia Teams app

Xoralia SPFX Installation Guide

Xoralia web parts & Viva adaptive card extensions

Can’t see the Viva web parts in your page web part catalogue?

Home

/

Support

/

User guides

/

Security and resilience

Security and resilience

This article will cover all application security, data encryption and threat protection elements of Xoralia. Any further information required can be requested from [email protected].

Application Security

The Xoralia application infrastructure has been built with security at the forefront. All Azure services that are utilised are protected by both Azure Application Gateway Web Application Firewalls and Azure Virtual Networks. This ensures that only valid, secure traffic is passed on to Xoralia web apps and APIs.

Within the application itself, we have utilised the following technologies / techniques:

  • Azure SQL Auditing
  • Microsoft Defender for Cloud
  • Azure Transparent Data Encryption
  • Azure Key Vault

All staff working across the Xoralia platform are running Windows 10 or later compliant devices and using company-managed antivirus, malware and firewall systems. Content Formula staff are background checked prior to joining the team.

Data encrypted at rest and in transit

All data stored on Xoralia servers is encrypted at rest using Azure Transparent Data Encryption. All data in transit is sent over HTTPS connections only. HTTPS is enforced on all web apps and APIs.

Under load testing and scalability

Xoralia has been tested under high loads (>5000 active users) and has passed all tests as expected.

The Xoralia application architecture allows us to proactively monitor and instantaneously scale the application on demand should it be needed. In the event of high load on 1 service, the application monitoring will automatically scale that service until normal operations are realised.

More about Xoralia information security
  • Last updated: 30 April 2025

Download user guide:

Application security, load testing and threat protection

Backup, retention and location of Xoralia data

Posted on by Hannah Barltrop

Template files in Xoralia

What are workflows and how you can use them to update your document directly in Xoralia

Request Re-read and Not Read

How to assign yourself or others as Document Owners

Read report

Reporting suite

Xoralia user dashboard

When to use Xoralia and when to use SharePoint

How Xoralia accesses your data

Invite Guest User to Active Directory

Caching and performance

Application security, load testing and threat protection

Backup, retention and location of Xoralia data

How to configure SharePoint permissions with Xoralia

The Xoralia permissions model

How to block downloading and printing from Xoralia

AD groups and how we use them in Xoralia

Reporting

Attesting to a document

Notifications

Bulk assignments

Assigning documents to users to read

Documents uploads and document templates

Changing core metadata

Setting up a grouping of documents in Xoralia as a “Collection”

How to manage document reviews and version control

Xoralia Power Automate Flow Functionality

Understanding tags

Understanding document version numbers

Installing the Xoralia Teams app

Xoralia SPFX Installation Guide

Xoralia web parts & Viva adaptive card extensions

Can’t see the Viva web parts in your page web part catalogue?

Home

/

Support

/

User guides

/

Security and resilience

Security and resilience

In this article, we will describe how Xoralia handles backups, what data is backed up and retained on Xoralia systems and where that data is stored. Any further information required can be requested from [email protected].

What data is stored on Xoralia

Xoralia uses the following information:

  • Active Directory usernames (UPN)
  • Active Directory first and last names of users
  • Active Directory group names (of groups that are used in Xoralia only)
  • Document filenames and IDs
  • Document meta data that has been set inside of Xoralia (tags, review dates, assignments)
  • SharePoint site names, URLs and IDs
  • SharePoint document library names, URLs and IDs
  • Document reporting information (who has read, who has been assigned, when a document was read, which version was read)
  • System auditing information (system logins, who assigned a document, who updated metadata)

At no point does Xoralia consume or store the contents of any documents stored on SharePoint or any other platform. Xoralia only stores the names of people who are assigned documents or those who have some sort of privileged access such as document owners, Xoralia admins etc.

Back up policies

Xoralia backs up all data listed above every 24 hours in differential backups with point in time backups occurring every 7 days. All backups are stored for 7 days. Recovery of information usually takes less than 3 hours if required. Xoralia does not copy or back up your actual documents at any point since these are stored in your SharePoint instance. If any recovery needs to be made within SharePoint, Microsoft’s standard SharePoint back up policy backs up data every 12 hours and typical recovery times are less than 12 hours. If in doubt please check with Microsoft.

Retention of data

Once a customer has ended their association with Xoralia, all data relating to that installation will be removed from Xoralia systems within 90 days.

Location of data

During installation of Xoralia, you can choose which location your data will be stored in at rest. Currently Xoralia supports four Azure regions: UK South, Central US, UAE North and AUS West. Customers can select their favoured data residency location during installation.

More about Xoralia information security
  • Last updated: 1 May 2025

Download user guide:

Backup, retention and location of Xoralia data

How to configure SharePoint permissions with Xoralia

Posted on by Hannah Barltrop

Template files in Xoralia

What are workflows and how you can use them to update your document directly in Xoralia

Request Re-read and Not Read

How to assign yourself or others as Document Owners

Read report

Reporting suite

Xoralia user dashboard

When to use Xoralia and when to use SharePoint

How Xoralia accesses your data

Invite Guest User to Active Directory

Caching and performance

Application security, load testing and threat protection

Backup, retention and location of Xoralia data

How to configure SharePoint permissions with Xoralia

The Xoralia permissions model

How to block downloading and printing from Xoralia

AD groups and how we use them in Xoralia

Reporting

Attesting to a document

Notifications

Bulk assignments

Assigning documents to users to read

Documents uploads and document templates

Changing core metadata

Setting up a grouping of documents in Xoralia as a “Collection”

How to manage document reviews and version control

Xoralia Power Automate Flow Functionality

Understanding tags

Understanding document version numbers

Installing the Xoralia Teams app

Xoralia SPFX Installation Guide

Xoralia web parts & Viva adaptive card extensions

Can’t see the Viva web parts in your page web part catalogue?

Home

/

Support

/

User guides

/

Security and resilience

Security and resilience

When associating a SharePoint library with Xoralia, Xoralia will respect any permissions that have been set in SharePoint: if a user does not have access to a document, Xoralia will never show that document to the user. Similarly, if you would like to make a document assignment to a user in Xoralia, they must already have access to the SharePoint site before they will be able to view the document. Be sure to check out our article about the Xoralia permissions model in conjunction with this article.

SharePoint permissions are a set of rules that controls what actions users can perform within a SharePoint site. These permissions define the level of access users have to: document libraries, folders, and individual items or files.

SharePoint permissions operate on a system of inheritance, the top-level sites allot their permissions to the objects and content within the site by default. For instance, lists and libraries inherit their permissions from the parent site, while folders inherit permissions from the library in which they reside. Files inherit permissions from their parent library, or from folders if they are nested within one.

When managing permissions at the folder level, subfolders will inherit those permissions, unless inheritance is broken for the subfolders as well. If unique permissions are needed for subfolders, inheritance must be manually broken at each level.

You can break the inheritance model to apply unique permissions to specific objects in SharePoint [libraries, folders, or subfolders] however, it increases the complexity of management. Our recommendation is to set permissions at the highest level possible to simplify management and have less room for error.

For a user to be able to see a document in Xoralia, they must have at least Read access to the SharePoint document library.

We suggest for Xoralia/policy management projects that unless you are a SharePoint expert that you seek advice from a professional, such as ourselves. Broken permissions, though powerful, can cause all sorts of problems that are not necessarily simple to fix.

SharePoint permission levels

  • Owners …………………. Full control
  • Members ………………. Editors
  • Visitor …………………… Read
  • Restricted view ……….. Read-only, no download, no printing

Site Owners

Site Owners have complete access to the SharePoint site. That’s the highest permission level.

→  Manage site content

→  Manage site settings

→  Manage site content

→  Delete a site

Site Visitors

It’s read-only access to the site, allowing users to view content and download. This applies to documents, pages, events, news, links – virtually any content you have. Visitors can also make comments to a SharePoint pages.

→  Read-only

→  Download

Restricted View

The Restricted View permission in SharePoint is more restrictive than the standard visitor’s permission. It’s a specific permission level designed to provide read-only access to content and restrict users from downloading or printing policies reducing the risk of unauthorized distribution. If the permission level is not visible, we need to activate that permission.

→  Read-only

Enabling “Restricted View” permissions in SharePoint

If the permission level is not visible, we need to activate that permission by following these steps:

  1. Navigate to Site Contents.
  2. Select any document library.
  3. Choose any file and click on the ellipsis (three dots) next to the document name.
  4. Click on Share.

Note: Simply clicking the “Share” button and closing the pop-up modal is enough to enable the Restricted View permission.

Next, update permissions as needed:

  1. Go to Site Permissions > Advanced Permission Settings. You have few options to assign the permissions:
    • Update the Visitors group permission from Read to Restricted View.
    • Create a new group and set the permission to Restricted View.
    • You can also grant permissions to individuals / AAD groups and set the permission level to “Restricted View”.

IMPORTANT: Ensure that users are assigned to the correct group to apply the appropriate permissions.

More about Xoralia information security
  • Last updated: 30 April 2025

Download user guide:

How to configure SharePoint permissions with Xoralia

The Xoralia permissions model

Posted on by Hannah Barltrop

Template files in Xoralia

What are workflows and how you can use them to update your document directly in Xoralia

Request Re-read and Not Read

How to assign yourself or others as Document Owners

Read report

Reporting suite

Xoralia user dashboard

When to use Xoralia and when to use SharePoint

How Xoralia accesses your data

Invite Guest User to Active Directory

Caching and performance

Application security, load testing and threat protection

Backup, retention and location of Xoralia data

How to configure SharePoint permissions with Xoralia

The Xoralia permissions model

How to block downloading and printing from Xoralia

AD groups and how we use them in Xoralia

Reporting

Attesting to a document

Notifications

Bulk assignments

Assigning documents to users to read

Documents uploads and document templates

Changing core metadata

Setting up a grouping of documents in Xoralia as a “Collection”

How to manage document reviews and version control

Xoralia Power Automate Flow Functionality

Understanding tags

Understanding document version numbers

Installing the Xoralia Teams app

Xoralia SPFX Installation Guide

Xoralia web parts & Viva adaptive card extensions

Can’t see the Viva web parts in your page web part catalogue?

Home

/

Support

/

User guides

/

Security and resilience

Security and resilience

In order to carry out certain tasks in Xoralia a user needs to have the correct permissions. Some of these permissions are set inside Xoralia and others are set inside SharePoint. Please refer to our article ‘How to configure SharePoint permissions with Xoralia‘.

The Xoralia permissions model:

Roles and permissions Where is the permission set?
Office 365 tenant admin
Required to carry out the one-time installation of Xoralia inside your Office 365 tenant. Office 365 tenant admin centre
Xoralia admin
Associates Xoralia with relevant document libraries inside SharePoint Xoralia admin panel
Manages various Xoralia settings such as branding Xoralia admin panel
Grants reporting-only access (see ‘Reporting’ below) Xoralia admin panel
Document library owner
Has full access to all documents inside a library (see ‘Document owner’ below) SharePoint permissions
Document owner
Has access to edit documents inside a library SharePoint permissions
Has ability to set document expiry dates Document owner column in the document library
Has ability to assign documents as mandatory reads Document owner column in the document library
Has ability to add other document owners Document owner column in the document library
Has access to reporting access Document owner column in the document library
Reporting
Required to access reporting only for a specified document library Xoralia admin panel
Document reader
Can read a document SharePoint permissions
Can attest a mandatory document has been read When doc owner assigns a document as mandatory read
More about Xoralia information security
  • Last updated: 30 April 2025

Download user guide:

The Xoralia permissions model

Contact us

Phone
US

+1 929 777 2931

+44(0)20 4534 3460

or
Email

[email protected]

Linkedin Pinterest Youtube
Sign up to our newsletter

About

Explore

Industries

Technologies

SharePoint

Microsoft 365

Teams

© Copyright 2021-2025 Content Formula Limited. All rights reserved.

We use cookies to give you the best experience on our site. By continuing to use our website, you are agreeing to our use of cookies. To find more about the cookies, please see our cookie notice. You can also read about our privacy policy.

Got it