Required accounts and permissions for a SharePoint scan
For a SharePoint scan, two accounts are to be configured:
The "Process account" is used to execute the scan process on the selected collector. This account must have local administrative rights and interactive logon privileges on the collector.
The "scan account" is used for the actual scan.
MFA (multi-factor authentication) is not supported for scanning or modifying SharePoint.
This account must always be the same as the owner account registered for the site collection (= primary site collection administrator). The corresponding user account is defined when a site collection is created and can only be viewed or changed via the SharePoint central administration.
Navigate in the Central Administration to:
application management -> site collections -> Change site collection administrators -> Selection of the site collection -> Primary site collection administrator
The scan account requires Site admin permissions.
Screenshots property of © 2020 Microsoft.
You can set the permissions in the SharePoint Online admin center.
You can also use app authentication to access SharePoint Online. To do this, you must register the app in Azure, as described in the following Microsoft instructions: Granting access using SharePoint App-Only (© 2022 Microsoft, https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs, obtained April 5, 2022).
You then use the Application ID created in this way as the username and the Client Secret as the password for the scan account.
It is also possible to use these credentials in the SharePoint change configuration.