Difference between revisions of "MSGraphPermissions"

From UmsWiki
Jump to: navigation, search
(Creating App Registration)
(Permissions overview)
 
(36 intermediate revisions by 7 users not shown)
Line 1: Line 1:
Setting MSGraph Permissions a long with Azure active directory, OneNote and SharePoint permissions is necessary for UMS to obtain access to the functions needed to create OneNote Class Notebooks and upcoming Teams integration.
+
'''MS graph permissions is a UMS backend requirement from version 8.5.203 which was released in June 2021"'''
 +
 
 +
'''MS graph permissions are required by these UMS modules (LiveAtEdu,OneNote, Sharepoint, Office 365 Timeblok and MS Teams)'''
 +
 
 +
<br />
 +
 
 +
==Creating App Registration==
 +
 
 +
 
 +
Go to [http://portal.azure.com Azure Portal] and login with you admin account( '''the same UMS uses''').
 +
 
 +
'''!!! ATTENTION !!!  use service account that UMS uses'''
 +
 
 +
When logged in go to Azure Active Directory:
 +
 
 +
<br />
 +
[[File:Graph1.jpg|left|thumb|832x832px]]
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
  
== Creating App Registration ==
 
Go to [http://portal.azure.com Azure Portal] and login with you admin account( the same UMS uses).
 
  
When logged in goto Azure Active Directory:
 
[[File:MSGraph1.png|thumb|none]]
 
  
Go to App registrations
 
[[File:MSGraph2.png|thumb|none]]
 
  
Click on New application registration
 
[[File:MSGraph3.png|thumb|none]]
 
  
Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"
 
[[File:MSGraph4.png|thumb|none]]
 
  
You will return to previous screen, here click "your new app"
 
[[File:MSGraph5.png|thumb|none]]
 
  
Click "Required permissions"
+
Go to App registrations
[[File:MSGraph6.png|thumb|none]]
+
[[File:Graph2.jpg|none|thumb|831x831px]]
  
Click "Add"
 
[[File:MSGraph7.png|thumb|none]]
 
  
Click "Select an API"
+
Click on New application registration
[[File:MSGraph8.png|thumb|none]]
+
[[File:Graph3.jpg|none|thumb|909x909px]]
  
Click "Microsoft Graph"
 
[[File:MSGraph9.png|thumb|none]]
 
  
Click "Select"
+
Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"
[[File:MSGraph10.png|thumb|none]]
+
[[File:Graph43.jpg|none|thumb|913x913px]]
 +
You will return to previous screen, here click "your new app"
 +
[[File:Grahp5.jpg|none|thumb|905x905px]]
  
Click the left topmost checkbox next to "APPLICATION PERMISSIONS", and scroll down to next section.
 
[[File:MSGraph11.png|thumb|none]]
 
  
Click the checkbox next to "DELEGATED PERMISSIONS"
+
Click "Certificates & secrets"
[[File:MSGraph13.png|thumb|none]]
 
  
Click "Select"
+
Click "New Client Secret"
[[File:MSGraph15.png|thumb|none]]
 
  
Click "Done"
+
Enter a "Description" and set "Expires" to the interval that suits your needs.
[[File:MSGraph16.png|thumb|none]]
 
  
Click "Add" again
+
Click "Add"
 +
[[File:Graph6.jpg|none|thumb|908x908px]]
  
Click "Select an API"
 
  
Click "Office 365 SharePoint Online"
+
Copy "Value ID"   We will use this later
[[File:MSGraph17.png|thumb|none]]
 
  
Click "Select", as before - click the checkbox next to "APPLICATION PERMISSIONS" and "DELEGATED PERMISSIONS" and click Select.
+
'''!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.''' [[File:Graph7.png|none|thumb|790x790px]]
  
Click "Done"
 
  
Click "Add" again and "Select an API"
+
Copy the "VALUE Key into "UMS Configurator" field Client Secret
  
Click "OneNote"
+
[[File:Tewxddf.png|frameless|566x566px]]
[[File:MSGraph18.png|thumb|none]]
 
  
Click "Select", as before - click the checkbox next to "APPLICATION PERMISSIONS" and "DELEGATED PERMISSIONS" and click Select.
 
  
Click "Done"
+
Copy the "Directory Tenant ID " into "UMS Configurator" Field Tenant ID
  
Click "Windows Azure Active Directory" Permission.
+
Copy the "Appplication Client ID " into "UMS Configurator" Field Client ID
 +
[[File:Id.jpg|none|thumb|1120x1120px]]
  
Click the checkbox next to "APPLICATION PERMISSIONS" and "DELEGATED PERMISSIONS" and click "Save"
 
  
Now click "Grant Permissions"
+
Click "Api permissions"
[[File:MSGraph19.png|none|thumb]]
 
Click "Yes"
 
[[File:MSGraph20.png|none|thumb]]
 
Permissions are now set.
 
  
Click "Properties"
+
Click "Add a permission"
[[File:MSGraph21.png|none|thumb]]
+
[[File:Graph8.png|none|thumb|780x780px]]
Copy "Application ID" into Configurator (see last Picture) .
 
[[File:MSGraph22.png|none|thumb]]
 
Click "Keys"
 
[[File:MSGraph23.png|none|thumb]]
 
Set "DESCRIPTION" to ex. "UMS1" and choose "Never expires" in the "EXPIRES" Setup dropdown
 
[[File:MSGraph24.png|none|thumb]]
 
Click "Save"
 
[[File:MSGraph25.png|none|thumb]]
 
Copy the Key in the "VALUE" into Configurator (see last Picture) !!! ATTENTION !!! the key value will never be visible again so ensure to copy it.
 
[[File:MSGraph26.png|none|thumb]]
 
  
== Setup UMS to use Application just Created ==
+
==Setup UMS to use Application just Created==
 
In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"
 
In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"
[[File:UMSConfiguratorSharepointOrganizationSettings.png|none|thumb]]
+
[[File:UMSConfiguratorSharepointOrganizationSettings.png|none|thumb|600x600px]]
 
Choose your SharePoint organization setting and click "Edit..."
 
Choose your SharePoint organization setting and click "Edit..."
[[File:UMSConfiguratorSharepointOrganizationSettingsEdit.png|none|thumb]]
+
[[File:UMSConfiguratorSharepointOrganizationSettingsEdit.png|none|thumb|600x600px]]
<nowiki><span id="SharePointOrganizationSettings">Input</span></nowiki> your "Tenant Name" ex. "cortenso.onmicrosoft.com", paste the previously copied Application ID into "Client ID" field and paste previously copied KEY into "Client secret" and click "Ok"
+
<span id="SharePointOrganizationSettings">Input</span> your "Tenant Name" ex. "cortenso'''.onmicrosoft.com'''", paste the previously copied Application ID into "Client ID" field and paste previously copied KEY into "Client secret" and click "Ok"
[[File:UMSConfiguratorSharepointOrganizationSettingsEditWindow.png|none|thumb]]
+
[[File:UMSConfiguratorSharepointOrganizationSettingsEditWindow.png|none|thumb|600x600px]]
 
You are now all set to use the new MS Graph integration.
 
You are now all set to use the new MS Graph integration.
  
__FORCETOC__
+
==Permissions overview==
 +
 
 +
=== Microsoft Graph ===
 +
{| class="wikitable sortable"
 +
|+Default permissions
 +
!Permission name
 +
!Permission type
 +
!API
 +
!Used for
 +
!Used by
 +
|-
 +
|User.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|Setting attributes on the user in Office 365
 +
|Live_at_edu.exe
 +
|-
 +
|Group.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|Setting group attributes on Office 365 groups
 +
|Live_at_edu.exe
 +
|-
 +
|GroupMember.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|Manage GroupMembers in Office 365
 +
|Live_at_edu.exe
 +
|-
 +
|Directory.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|Setting attributes on the user in Azure Active Directory
 +
|Live_at_edu.exe
 +
|-
 +
|MailboxSettings.ReadWrite
 +
|Application
 +
|Microsoft Graph
 +
|Used to set mailbox settings in Office 365.
 +
Used to get/create categories
 +
|Live_at_edu.exe
 +
Skemabrikker.exe
 +
|-
 +
|Calendars.ReadWrite
 +
|Application
 +
|Microsoft Graph
 +
|Used to allow UMS to sync calendar events to Office 365
 +
|Skemabrikker.exe
 +
|-
 +
|Files.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|Used to provision OneDrive for users
 +
|Live_at_edu.exe
 +
|}
 +
{| class="wikitable sortable"
 +
|+Teams sync permissions
 +
!Permission name
 +
!Permission type
 +
!API
 +
!Used for
 +
!Used by
 +
|-
 +
|EduRoster.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|Allows the UMS to handle users on roster
 +
|Live_at_edu.exe
 +
|-
 +
|Member.Read.Hidden
 +
|Application
 +
|Microsoft Graph
 +
|Allows the UMS to handle users on roster
 +
|Live_at_edu.exe
 +
|-
 +
|TeamMember.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|Used to add or remove users from Team
 +
|Live_at_edu.exe
 +
|-
 +
|TeamsTab.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|Used to create tabs in teams
 +
|Live_at_edu.exe
 +
|-
 +
|TeamsAppInstallation.ReadForTeam.All
 +
|Application
 +
|Microsoft Graph
 +
|Used to install app in teams
 +
|Live_at_edu.exe
 +
|-
 +
|Team.Create
 +
|Application
 +
|Microsoft Graph
 +
|Used to create Teams
 +
|Live_at_edu.exe
 +
|-
 +
|Team.ReadBasic.All
 +
|Application
 +
|Microsoft Graph
 +
|Used to read teams
 +
|Live_at_edu.exe
 +
|}
 +
 
 +
=== SharePoint ===
 +
{| class="wikitable sortable"
 +
|+SharePoint sync permissions
 +
!Permission name
 +
!Permission type
 +
!API
 +
!Used for
 +
!Used by
 +
|-
 +
|Sites.FullControl.All
 +
|Application
 +
|Microsoft Graph
 +
|Have full control of all site collections
 +
|Office365_SP_OneNote.exe
 +
|-
 +
|Sites.Manage.All
 +
|Application
 +
|Microsoft Graph
 +
|Read and write items and lists in all site collections
 +
|Office365_SP_OneNote.exe
 +
|-
 +
|Sites.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|Read and write items in all site collections
 +
|Office365_SP_OneNote.exe
 +
|-
 +
|User.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|Read and write user profiles
 +
|Office365_SP_OneNote.exe
 +
|}
 +
 
 +
=== OneNote ===
 +
{| class="wikitable sortable"
 +
|+OneNote sync permissions
 +
!Permission name
 +
!Permission type
 +
!API
 +
!Used for
 +
!Used by
 +
|-
 +
|Notes.ReadWrite.All
 +
|Application
 +
|Microsoft Graph
 +
|
 +
|Office365_SP_OneNote.exe
 +
|}

Latest revision as of 09:37, 2 September 2021

MS graph permissions is a UMS backend requirement from version 8.5.203 which was released in June 2021"

MS graph permissions are required by these UMS modules (LiveAtEdu,OneNote, Sharepoint, Office 365 Timeblok and MS Teams)


Creating App Registration

Go to Azure Portal and login with you admin account( the same UMS uses).

!!! ATTENTION !!! use service account that UMS uses

When logged in go to Azure Active Directory:


Graph1.jpg












Go to App registrations

Graph2.jpg


Click on New application registration

Graph3.jpg


Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"

Graph43.jpg

You will return to previous screen, here click "your new app"

Grahp5.jpg


Click "Certificates & secrets"

Click "New Client Secret"

Enter a "Description" and set "Expires" to the interval that suits your needs.

Click "Add"

Graph6.jpg


Copy "Value ID" We will use this later

!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.

Graph7.png


Copy the "VALUE Key into "UMS Configurator" field Client Secret

Tewxddf.png


Copy the "Directory Tenant ID " into "UMS Configurator" Field Tenant ID

Copy the "Appplication Client ID " into "UMS Configurator" Field Client ID

Id.jpg


Click "Api permissions"

Click "Add a permission"

Graph8.png

Setup UMS to use Application just Created

In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"

UMSConfiguratorSharepointOrganizationSettings.png

Choose your SharePoint organization setting and click "Edit..."

UMSConfiguratorSharepointOrganizationSettingsEdit.png

Input your "Tenant Name" ex. "cortenso.onmicrosoft.com", paste the previously copied Application ID into "Client ID" field and paste previously copied KEY into "Client secret" and click "Ok"

UMSConfiguratorSharepointOrganizationSettingsEditWindow.png

You are now all set to use the new MS Graph integration.

Permissions overview

Microsoft Graph

Default permissions
Permission name Permission type API Used for Used by
User.ReadWrite.All Application Microsoft Graph Setting attributes on the user in Office 365 Live_at_edu.exe
Group.ReadWrite.All Application Microsoft Graph Setting group attributes on Office 365 groups Live_at_edu.exe
GroupMember.ReadWrite.All Application Microsoft Graph Manage GroupMembers in Office 365 Live_at_edu.exe
Directory.ReadWrite.All Application Microsoft Graph Setting attributes on the user in Azure Active Directory Live_at_edu.exe
MailboxSettings.ReadWrite Application Microsoft Graph Used to set mailbox settings in Office 365.

Used to get/create categories

Live_at_edu.exe

Skemabrikker.exe

Calendars.ReadWrite Application Microsoft Graph Used to allow UMS to sync calendar events to Office 365 Skemabrikker.exe
Files.ReadWrite.All Application Microsoft Graph Used to provision OneDrive for users Live_at_edu.exe
Teams sync permissions
Permission name Permission type API Used for Used by
EduRoster.ReadWrite.All Application Microsoft Graph Allows the UMS to handle users on roster Live_at_edu.exe
Member.Read.Hidden Application Microsoft Graph Allows the UMS to handle users on roster Live_at_edu.exe
TeamMember.ReadWrite.All Application Microsoft Graph Used to add or remove users from Team Live_at_edu.exe
TeamsTab.ReadWrite.All Application Microsoft Graph Used to create tabs in teams Live_at_edu.exe
TeamsAppInstallation.ReadForTeam.All Application Microsoft Graph Used to install app in teams Live_at_edu.exe
Team.Create Application Microsoft Graph Used to create Teams Live_at_edu.exe
Team.ReadBasic.All Application Microsoft Graph Used to read teams Live_at_edu.exe

SharePoint

SharePoint sync permissions
Permission name Permission type API Used for Used by
Sites.FullControl.All Application Microsoft Graph Have full control of all site collections Office365_SP_OneNote.exe
Sites.Manage.All Application Microsoft Graph Read and write items and lists in all site collections Office365_SP_OneNote.exe
Sites.ReadWrite.All Application Microsoft Graph Read and write items in all site collections Office365_SP_OneNote.exe
User.ReadWrite.All Application Microsoft Graph Read and write user profiles Office365_SP_OneNote.exe

OneNote

OneNote sync permissions
Permission name Permission type API Used for Used by
Notes.ReadWrite.All Application Microsoft Graph Office365_SP_OneNote.exe