From dad5f42f9645abefcbcc83fe7c861f29be449611 Mon Sep 17 00:00:00 2001
From: "c1-dev-bot[bot]" <2740113+c1-dev-bot[bot]@users.noreply.github.com>
Date: Thu, 11 Jun 2026 14:49:26 +0000
Subject: [PATCH] Document --skip-membership-restricted-groups flag and
permission options for SharePoint connector
Clarify the two supported SharePoint permission setups (Sites.Read.All
vs Sites.FullControl.All) and document the new
--skip-membership-restricted-groups flag that is required when using
minimal permissions to avoid 403 errors on groups with restricted
membership visibility.
---
baton/sharepoint.mdx | 34 +++++++++++++++++++++++++++++++---
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/baton/sharepoint.mdx b/baton/sharepoint.mdx
index fc5ed226..49d961d6 100644
--- a/baton/sharepoint.mdx
+++ b/baton/sharepoint.mdx
@@ -71,13 +71,21 @@ Click **API permissions**.
Click **+ Add permissions** > **Microsoft Graph**.
-Click **Application permissions** and select `Sites.Read.All`.
+Click **Application permissions** and select `User.Read.All`.
-Click **+ Add permissions** > **Microsoft SharePoint**.
+Click **+ Add permissions** > **SharePoint**.
-Click **Application permissions** and select `Sites.FullControl.All`. (You can use `Sites.Read.All` here if you do not need to sync special SharePoint groups such as "SharePointHome Org Links".)
+Click **Application permissions** and choose one of the following permission levels:
+
+ **Option A — Minimal permissions (recommended for most deployments)**
+
+ Select `Sites.Read.All`. With this option, you must also enable the `--skip-membership-restricted-groups` flag (see [Groups with restricted membership visibility](#groups-with-restricted-membership-visibility) below). SharePoint groups that restrict membership visibility (`OnlyAllowMembersViewMembership`) are excluded from the sync.
+
+ **Option B — Full permissions**
+
+ Select `Sites.FullControl.All`. This allows the connector to sync all SharePoint groups, including groups that restrict membership visibility. Choose this option if you need visibility into those groups in C1.
Save your changes.
@@ -113,6 +121,22 @@ Upload the certificate to your application by navigating to **Certificates & sec
**Done.** Next, move on to the connector configuration instructions.
+## Groups with restricted membership visibility
+
+Some SharePoint groups have `OnlyAllowMembersViewMembership` enabled, which prevents applications from listing group members unless the application has the `Sites.FullControl.All` permission. If the connector encounters one of these groups during sync with only `Sites.Read.All`, the sync fails with a 403 error.
+
+To handle this, the connector provides the `--skip-membership-restricted-groups` flag:
+
+| Flag | Environment variable | Default |
+| :--- | :--- | :--- |
+| `--skip-membership-restricted-groups` | `BATON_SKIP_MEMBERSHIP_RESTRICTED_GROUPS` | `false` |
+
+When enabled, groups with restricted membership visibility are excluded from the sync entirely — both the group and its memberships are skipped.
+
+
+If you granted the application `Sites.Read.All` (Option A) instead of `Sites.FullControl.All`, you **must** enable this flag. Otherwise, the sync fails when it encounters a group with restricted membership visibility.
+
+
## Configure the SharePoint connector
@@ -269,6 +293,10 @@ stringData:
BATON_EXTERNAL_SYNC_MODE: true
BATON_EXTERNAL_RESOURCE_C1Z:
BATON_EXTERNAL_RESOURCE_ENTITLEMENT_ID_FILTER:
+
+ # Optional: Skip groups with restricted membership visibility.
+ # Required when using Sites.Read.All instead of Sites.FullControl.All.
+ # BATON_SKIP_MEMBERSHIP_RESTRICTED_GROUPS: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.