Snagit Share Destination Permissions FAQ

To pre-approve the Snagit Teams Share Destination for users in your organization:

1. Access the following link: Microsoft Admin Teams Consent Page

2. Sign-in with an Microsoft Azure Administrator account for your organization.

3. A prompt listing the permissions required will be displayed. Choose Accept to approve the application for your entire organization.
   
   

If you do not want to pre-approve the Teams application for your organization, you can also choose to respond to individual requests for approval from your users, or approve the application manually at a later time. For more information on configuring this workflow, visit:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/review-admin-consent-requests
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal#grant-tenant-wide-admin-consent-in-enterprise-apps

Why does the "OneDrive Share Destination" application require such broad permissions (Files.ReadWrite.All)?

Files.ReadWrite.All is used because Snagit supports both importing and exporting files. To import, it needs access to view and download your files, and for exporting, it must view your OneDrive folders to allow you to pick a destination for uploads.

Is it possible to limit these to only what's necessary?

Files.ReadWrite.All is a delegated permission, meaning it applies to each individual user account, so the app has the same permissions as the user account it’s logged in with, just like if they signed into OneDrive directly.

Microsoft provides some ability to create application-based restrictions
https://learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users

How does Snagit ensure secure handling of user credentials and authentication tokens when accessing OneDrive files?

The integration uses an Software Development Kit (SDK) provided by Microsoft. Authentication, Authorization and other interactions are managed by the SDK. Tokens specifically are encrypted by the SDK and saved to a file on-disk that’s accessible to the local user account.

Where are screenshots and edited images stored when saved to OneDrive via Snagit?

The Snagit end user decides where the files are saved. The default selection is a TechSmith folder which Snagit creates in the root directory of the end user’s OneDrive.

What specific data does Snagit collect and store from OneDrive, and how is it used?

Snagit stores the Unique Identifier (UID) of the user’s root folder, the UID of the folder selected as the upload destination and the user’s email address. Snagit also creates an entry in the Share History that has a link to their shared file on OneDrive.

If you’re not familiar with Snagit’s Share History, it’s similar to the history of a web browser; a log of the last several share actions within the application.

This information does not otherwise leave the end-user’s device.

Are there data retention policies in place for user data?

The data is saved on the end-user’s device. If the user signs out of the One Drive integration, most data is removed. The information retained is the UID for the user’s root directory; this is so that the Application does not create another “TechSmith” folder if that user signs in to the OneDrive extension again.

The Share History feature in Snagit is not unique to OneDrive and information is not automatically removed from that location. When the uninstaller runs, there is an option to remove all of Snagit’s information and that would eliminate everything.

Can users control what data is shared with Snagit, and are there options to limit or revoke access to specific files or folders in OneDrive?

No. The app has the same access as the end user. As stated previously, Snagit will only open and save files when the end user prompts it to.