MSGraphPermissions: Difference between revisions

From UmsWiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
Tod (talk | contribs)
240 edits
No edit summary
 
(66 intermediate revisions by 9 users not shown)
Line 1: Line 1:
'''MS graph permissions is a UMS backend requirement from version 8.5.203 which was released in June 2021"'''
'''MS graph permissions are required by these UMS modules'''


'''MS graph permissions are required by these UMS modules (OneNote, Sharepoint and MS Teams)'''
*'''LiveAtEdu'''
 
*'''OneNote'''
<br />
*'''SharePoint'''
*'''Office 365 Time blocks'''
*'''MS Teams'''


==Creating App Registration==
==Creating App Registration==
Go to [http://portal.azure.com Azure Portal] and login with you admin account.


 
When logged in go to Azure Active Directory:[[File:Graph1.jpg|left|thumb|832x832px]]
Go to [http://portal.azure.com Azure Portal] and login with you admin account( '''the same UMS uses''').
 
'''!!! ATTENTION !!!  use service account that UMS uses'''
 
When logged in go to Azure Active Directory:
 
<br />
[[File:Graph1.jpg|left|thumb|832x832px]]
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 




Line 48: Line 23:
Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"
Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"
[[File:Graph43.jpg|none|thumb|913x913px]]
[[File:Graph43.jpg|none|thumb|913x913px]]
You will return to previous screen, here click "your new app"
You will return to previous screen, here click "your new app"
[[File:Grahp5.jpg|none|thumb|905x905px]]
[[File:Grahp5.jpg|none|thumb|905x905px]]




Line 60: Line 37:
Click "Add"
Click "Add"
[[File:Graph6.jpg|none|thumb|908x908px]]
[[File:Graph6.jpg|none|thumb|908x908px]]




Line 65: Line 43:


'''!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.''' [[File:Graph7.png|none|thumb|790x790px]]
'''!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.''' [[File:Graph7.png|none|thumb|790x790px]]




Line 83: Line 62:
[[File:Graph8.png|none|thumb|780x780px]]
[[File:Graph8.png|none|thumb|780x780px]]


======API and Permissions======
==Setup SharePoint, OneNote Class Notebook or Onedrive provisioning==
'''You do not need to fill out the settings in UMS (This was done in the above text) when using OneDrive provisioning.''' Only the "Add SharePoint App permissions" chapter.


*Azure Active Directory Graph 17 (Delegated Permissions)
In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"
 
[[File:UMSConfiguratorSharepointOrganizationSettings.png|none|thumb|600x600px]]
[[File:Apigrapj.png|none|thumb|1030x1030px]]
Choose your SharePoint organization setting and click "Edit..."
[[File:UMSConfiguratorSharepointOrganizationSettingsEdit.png|none|thumb|600x600px]]
<span id="SharePointOrganizationSettings">Input</span> your "Tenant Name" ex. "cortenso'''.onmicrosoft.com'''", insert Application ID into "Client ID" field, insert "Client secret" and "Tenant ID" and click "Ok"
[[File:SharepointOrganization SettingsEdit.jpg|none|thumb|585x585px]]


*Azure Active Directory Graph (Applications Permissions)<br />
===Add SharePoint App permissions===


[[File:Graph9.png|none|thumb|1030x1030px]]
*Go to https://'''<tenantname>'''-admin.sharepoint.com/_layouts/15/appinv.aspx
*Enter app Id (AKA Client Id) and press lookup.
*Copy paste the below text in Permission Request XML and save


<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
  <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
</AppPermissionRequests>


[[File:SharePoint Organization Settings App permission.jpg|none|thumb|389x389px|Enter anything you like into Title]]


'''Microsoft Graph 141'''
====Open newest installed Powershell on the server running the program====
{|
'''Must use Powershell 5'''
|
#Enable TLS 1.2 for Powershell commands
|-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 
|Agreement.Read.All
|Delegated
$NugetPackageProvider = Get-PackageProvider -ListAvailable -Name NuGet -ErrorAction SilentlyContinue
|Read all terms of use agreements
if (!$NugetPackageProvider) {Install-PackageProvider -Name NuGet -Scope AllUsers -Force}
|
|
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force
|
Import-Module Microsoft.Online.SharePoint.PowerShell
|-
Connect-SPOService -Url https://'''<tenantname>'''-admin.sharepoint.com
|Agreement.ReadWrite.All
Set-SPOTenant -DisableCustomAppAuthentication $false
|Delegated
|Read and write all terms of use agreements
|
|
|
|-
|AgreementAcceptance.Read
|Delegated
|Read user terms of use acceptance statuses
|
|
|
|-
|AgreementAcceptance.Read.All
|Delegated
|Read terms of use acceptance statuses that user can access
|
|
|
|-
|AuditLog.Read.All
|Delegated
|Read audit log data
|
|
|
|-
|AuditLog.Read.All
|Application
|Read all audit log data
|
|
|
|-
|Bookings.Manage.All
|Delegated
|Manage bookings information
|
|
|
|-
|Bookings.Read.All
|Delegated
|Read bookings information
|
|
|
|-
|Bookings.ReadWrite.All
|Delegated
|Read and write bookings information
|
|
|
|-
|BookingsAppointment.ReadWrite.All
|Delegated
|Read and write booking appointments
|
|
|
|-
|Calendars.Read
|Delegated
|Read user calendars
|
|
|
|-
|Calendars.Read
|Application
|Read calendars in all mailboxes
|
|
|
|-
|Calendars.Read.Shared
|Delegated
|Read user and shared calendars
|
|
|
|-
|Calendars.ReadWrite
|Delegated
|Have full access to user calendars
|
|
|
|-
|Calendars.ReadWrite
|Application
|Read and write calendars in all mailboxes
|
|
|
|-
|Calendars.ReadWrite.Shared
|Delegated
|Read and write user and shared calendars
|
|
|
|-
|Contacts.Read
|Delegated
|Read user contacts
|
|
|
|-
|Contacts.Read
|Application
|Read contacts in all mailboxes
|
|
|
|-
|Contacts.Read.Shared
|Delegated
|Read user and shared contacts
|
|
|
|-
|Contacts.ReadWrite
|Delegated
|Have full access to user contacts
|
|
|
|-
|Contacts.ReadWrite
|Application
|Read and write contacts in all mailboxes
|
|
|
|-
|Contacts.ReadWrite.Shared
|Delegated
|Read and write user and shared contacts
|
|
|
|-
|Device.Command
|Delegated
|Communicate with user devices
|
|
|
|-
|Device.Read
|Delegated
|Read user devices
|
|
|
|-
|Device.ReadWrite.All
|Application
|Read and write devices
|
|
|
|-
|DeviceManagementApps.Read.All
|Delegated
|Read Microsoft Intune apps
|
|
|
|-
|DeviceManagementApps.ReadWrite.All
|Delegated
|Read and write Microsoft Intune apps
|
|
|
|-
|DeviceManagementConfiguration.Read.All
|Delegated
|Read Microsoft Intune Device Configuration and Policies
|
|
|
|-
|DeviceManagementConfiguration.ReadWrite.All
|Delegated
|Read and write Microsoft Intune Device Configuration and Policies
|
|
|
|-
|DeviceManagementManagedDevices.PrivilegedOperations.All
|Delegated
|Perform user-impacting remote actions on Microsoft Intune devices
|
|
|
|-
|DeviceManagementManagedDevices.Read.All
|Delegated
|Read Microsoft Intune devices
|
|
|
|-
|DeviceManagementManagedDevices.ReadWrite.All
|Delegated
|Read and write Microsoft Intune devices
|
|
|
|-
|DeviceManagementRBAC.Read.All
|Delegated
|Read Microsoft Intune RBAC settings
|
|
|
|-
|DeviceManagementRBAC.ReadWrite.All
|Delegated
|Read and write Microsoft Intune RBAC settings
|
|
|
|-
|DeviceManagementServiceConfig.Read.All
|Delegated
|Read Microsoft Intune configuration
|
|
|
|-
|DeviceManagementServiceConfig.ReadWrite.All
|Delegated
|Read and write Microsoft Intune configuration
|
|
|
|-
|Directory.AccessAsUser.All
|Delegated
|Access directory as the signed in user
|
|
|
|-
|Directory.Read.All
|Delegated
|Read directory data
|
|
|
|-
|Directory.Read.All
|Application
|Read directory data
|
|
|
|-
|Directory.ReadWrite.All
|Delegated
|Read and write directory data
|
|
|
|-
|Directory.ReadWrite.All
|Application
|Read and write directory data
|
|
|
|-
|Domain.ReadWrite.All
|Application
|Read and write domains
|
|
|
|-
|EAS.AccessAsUser.All
|Delegated
|Access mailboxes via Exchange ActiveSync
|
|
|
|-
|EduAdministration.Read
|Delegated
|Read education app settings
|
|
|
|-
|EduAdministration.Read.All
|Application
|Read Education app settings
|
|
|
|-
|EduAdministration.ReadWrite
|Delegated
|Manage education app settings
|
|
|
|-
|EduAdministration.ReadWrite.All
|Application
|Manage education app settings
|
|
|
|-
|EduAssignments.Read
|Delegated
|Read users' class assignments and their grades
|
|
|
|-
|EduAssignments.Read.All
|Application
|Read class assignments with grades
|
|
|
|-
|EduAssignments.ReadBasic
|Delegated
|Read users' class assignments without grades
|
|
|
|-
|EduAssignments.ReadBasic.All
|Application
|Read class assignments without grades
|
|
|
|-
|EduAssignments.ReadWrite
|Delegated
|Read and write users' class assignments and their grades
|
|
|
|-
|EduAssignments.ReadWrite.All
|Application
|Read and write class assignments with grades
|
|
|
|-
|EduAssignments.ReadWriteBasic
|Delegated
|Read and write users' class assignments without grades
|
|
|
|-
|EduAssignments.ReadWriteBasic.All
|Application
|Read and write class assignments without grades
|
|
|
|-
|EduRoster.Read
|Delegated
|Read users' view of the roster
|
|
|
|-
|EduRoster.Read.All
|Application
|Read the organization's roster
|
|
|
|-
|EduRoster.ReadBasic
|Delegated
|Read a limited subset of users' view of the roster
|
|
|
|-
|EduRoster.ReadBasic.All
|Application
|Read a limited subset of the organization's roster
|
|
|
|-
|EduRoster.ReadWrite
|Delegated
|Read and write users' view of the roster
|
|
|
|-
|EduRoster.ReadWrite.All
|Application
|Read and write the organization's roster
|
|
|
|-
|email
|Delegated
|View users' email address
|
|
|
|-
|Files.Read
|Delegated
|Read user files
|
|
|
|-
|Files.Read.All
|Delegated
|Read all files that user can access
|
|
|
|-
|Files.Read.All
|Application
|Read files in all site collections
|
|
|
|-
|Files.Read.Selected
|Delegated
|Read files that the user selects (preview)
|
|
|
|-
|Files.ReadWrite
|Delegated
|Have full access to user files
|
|
|
|-
|Files.ReadWrite.All
|Delegated
|Have full access to all files user can access
|
|
|
|-
|Files.ReadWrite.All
|Application
|Read and write files in all site collections
|
|
|
|-
|Files.ReadWrite.AppFolder
|Delegated
|Have full access to the application's folder (preview)
|
|
|
|-
|Files.ReadWrite.Selected
|Delegated
|Read and write files that the user selects (preview)
|
|
|
|-
|Financials.ReadWrite.All
|Delegated
|Read and write financials data
|
|
|
|-
|Group.Read.All
|Delegated
|Read all groups
|
|
|
|-
|Group.Read.All
|Application
|Read all groups
|
|
|
|-
|Group.ReadWrite.All
|Delegated
|Read and write all groups
|
|
|
|-
|Group.ReadWrite.All
|Application
|Read and write all groups
|
|
|
|-
|GroupMember.ReadWrite.All
|Application
|Read and write all group memberships
|
|
|
|-
|IdentityProvider.Read.All
|Delegated
|Read identity providers
|
|
|
|-
|IdentityProvider.ReadWrite.All
|Delegated
|Read and write identity providers
|
|
|
|-
|IdentityRiskEvent.Read.All
|Delegated
|Read identity risk event information
|
|
|
|-
|IdentityRiskEvent.Read.All
|Application
|Read all identity risk event information
|
|
|
|-
|Mail.Read
|Delegated
|Read user mail
|
|
|
|-
|Mail.Read
|Application
|Read mail in all mailboxes
|
|
|
|-
|Mail.Read.Shared
|Delegated
|Read user and shared mail
|
|
|
|-
|Mail.ReadWrite
|Delegated
|Read and write access to user mail
|
|
|
|-
|Mail.ReadWrite
|Application
|Read and write mail in all mailboxes
|
|
|
|-
|Mail.ReadWrite.Shared
|Delegated
|Read and write user and shared mail
|
|
|
|-
|Mail.Send
|Delegated
|Send mail as a user
|
|
|
|-
|Mail.Send
|Application
|Send mail as any user
|
|
|
|-
|Mail.Send.Shared
|Delegated
|Send mail on behalf of others
|
|
|
|-
|MailboxSettings.Read
|Delegated
|Read user mailbox settings
|
|
|
|-
|MailboxSettings.Read
|Application
|Read all user mailbox settings
|
|
|
|-
|MailboxSettings.ReadWrite
|Delegated
|Read and write user mailbox settings
|
|
|
|-
|MailboxSettings.ReadWrite
|Application
|Read and write all user mailbox settings
|
|
|
|-
|Member.Read.Hidden
|Delegated
|Read hidden memberships
|
|
|
|-
|Member.Read.Hidden
|Application
|Read all hidden memberships
|
|
|
|-
|Notes.Create
|Delegated
|Create user OneNote notebooks
|
|
|
|-
|Notes.Read
|Delegated
|Read user OneNote notebooks
|
|
|
|-
|Notes.Read.All
|Delegated
|Read all OneNote notebooks that user can access
|
|
|
|-
|Notes.Read.All
|Application
|Read all OneNote notebooks
|
|
|
|-
|Notes.ReadWrite
|Delegated
|Read and write user OneNote notebooks
|
|
|
|-
|Notes.ReadWrite.All
|Delegated
|Read and write all OneNote notebooks that user can access
|
|
|
|-
|Notes.ReadWrite.All
|Application
|Read and write all OneNote notebooks
|
|
|
|-
|Notes.ReadWrite.CreatedByApp
|Delegated
|Limited notebook access (deprecated)
|
|
|
|-
|offline_access
|Delegated
|Maintain access to data you have given it access to
|
|
|
|-
|openid
|Delegated
|Sign users in
|
|
|
|-
|People.Read
|Delegated
|Read users' relevant people lists
|
|
|
|-
|People.Read.All
|Delegated
|Read all users' relevant people lists
|
|
|
|-
|People.Read.All
|Application
|Read all users' relevant people lists
|
|
|
|-
|profile
|Delegated
|View users' basic profile
|
|
|
|-
|Reports.Read.All
|Delegated
|Read all usage reports
|
|
|
|-
|Reports.Read.All
|Application
|Read all usage reports
|
|
|
|-
|SecurityEvents.Read.All
|Delegated
|Read your organization’s security events
|
|
|
|-
|SecurityEvents.Read.All
|Application
|Read your organization’s security events
|
|
|
|-
|SecurityEvents.ReadWrite.All
|Delegated
|Read and update your organization’s security events
|
|
|
|-
|SecurityEvents.ReadWrite.All
|Application
|Read and update your organization’s security events
|
|
|
|-
|Sites.FullControl.All
|Delegated
|Have full control of all site collections
|
|
|
|-
|Sites.FullControl.All
|Application
|Have full control of all site collections
|
|
|
|-
|Sites.Manage.All
|Delegated
|Create, edit, and delete items and lists in all site collections
|
|
|
|-
|Sites.Manage.All
|Application
|Create, edit, and delete items and lists in all site collections
|
|
|
|-
|Sites.Read.All
|Delegated
|Read items in all site collections
|
|
|
|-
|Sites.Read.All
|Application
|Read items in all site collections
|
|
|
|-
|Sites.ReadWrite.All
|Delegated
|Edit or delete items in all site collections
|
|
|
|-
|Sites.ReadWrite.All
|Application
|Read and write items in all site collections
|
|
|
|-
|Tasks.Read
|Delegated
|Read user's tasks and task lists
|
|
|
|-
|Tasks.Read.Shared
|Delegated
|Read user and shared tasks
|
|
|
|-
|Tasks.ReadWrite
|Delegated
|Create, read, update, and delete user’s tasks and task lists
|
|
|
|-
|Tasks.ReadWrite.Shared
|Delegated
|Read and write user and shared tasks
|
|
|
|-
|TeamsAppInstallation.ReadForTeam.All
|Application
|Read installed Teams apps for all teams
|
|
|
|-
|TeamsTab.ReadWrite.All
|Application
|Read and write tabs in Microsoft Teams.
|
|
|
|-
|User.Invite.All
|Delegated
|Invite guest users to the organization
|
|
|
|-
|User.Invite.All
|Application
|Invite guest users to the organization
|
|
|
|-
|User.Read
|Delegated
|Sign in and read user profile
|
|
|
|-
|User.Read.All
|Delegated
|Read all users' full profiles
|
|
|
|-
|User.Read.All
|Application
|Read all users' full profiles
|
|
|
|-
|User.ReadBasic.All
|Delegated
|Read all users' basic profiles
|
|
|
|-
|User.ReadWrite
|Delegated
|Read and write access to user profile
|
|
|
|-
|User.ReadWrite.All
|Delegated
|Read and write all users' full profiles
|
|
|
|-
|User.ReadWrite.All
|Application
|Read and write all users' full profiles
|
|
|
|-
|UserActivity.ReadWrite.CreatedByApp
|Delegated
|Read and write app activity to users' activity feed
|
|
|
|-
|UserTimelineActivity.Write.CreatedByApp
|Delegated
|Write app activity to users' timeline
|
|
|
|-
|
|
|
|}
'''OneNote 8'''
{| class="wikitable"
|
|-
|Notes.Create
|Delegated
|Create pages in OneNote notebooks
|
|
|
|-
|Notes.Read
|Delegated
|View OneNote notebooks
|
|
|
|-
|Notes.Read.All
|Application
|View notes for all users
|
|
|
|-
|Notes.Read.All
|Delegated
|View OneNote notebooks in your organization
|
|
|
|-
|Notes.ReadWrite
|Delegated
|View and modify OneNote notebooks
|
|
|
|-
|Notes.ReadWrite.All
|Application
|View and modify notes for all users
|
|
|
|-
|Notes.ReadWrite.All
|Delegated
|View and modify OneNote notebooks in your organization
|
|
|
|-
|Notes.ReadWrite.CreatedByApp
|Delegated
|Application-only OneNote notebook access
|
|
|}
'''SharePoint''' 19
{| class="wikitable"
|AllSites.FullControl
|Delegated
|Have full control of all site collections
|
|
|
|-
|AllSites.Manage
|Delegated
|Read and write items and lists in all site collections
|
|
|
|-
|AllSites.Read
|Delegated
|Read items in all site collections
|
|
|
|-
|AllSites.Write
|Delegated
|Read and write items in all site collections
|
|
|
|-
|MyFiles.Read
|Delegated
|Read user files
|
|
|
|-
|MyFiles.Write
|Delegated
|Read and write user files
|
|
|
|-
|Sites.FullControl.All
|Application
|Have full control of all site collections
|
|
|
|-
|Sites.Manage.All
|Application
|Read and write items and lists in all site collections
|
|
|
|-
|Sites.Read.All
|Application
|Read items in all site collections
|
|
|
|-
|Sites.ReadWrite.All
|Application
|Read and write items in all site collections
|
|
|
|-
|Sites.Search.All
|Delegated
|Run search queries as a user
|
|
|
|-
|TermStore.Read.All
|Application
|Read managed metadata
|
|
|
|-
|TermStore.Read.All
|Delegated
|Read managed metadata
|
|
|
|-
|TermStore.ReadWrite.All
|Application
|Read and write managed metadata
|
|
|
|-
|TermStore.ReadWrite.All
|Delegated
|Read and write managed metadata
|
|
|
|-
|User.Read.All
|Application
|Read user profiles
|
|
|
|-
|User.Read.All
|Delegated
|Read user profiles
|
|
|
|-
|User.ReadWrite.All
|Application
|Read and write user profiles
|
|
|
|-
|User.ReadWrite.All
|Delegated
|Read and write user profiles
|
|
|}


==Setup UMS to use Application just Created==
===Remove SharePoint App permissions===
In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"
If you want to remove existing app permission use this link. Maybe you are not using the module anymore.
[[File:UMSConfiguratorSharepointOrganizationSettings.png|none|thumb|600x600px]]
https://'''<tenantname>'''-admin.sharepoint.com/_layouts/15/TA_AllAppPrincipals.aspx
Choose your SharePoint organization setting and click "Edit..."
[[File:UMSConfiguratorSharepointOrganizationSettingsEdit.png|none|thumb|600x600px]]
<span id="SharePointOrganizationSettings">Input</span> your "Tenant Name" ex. "cortenso'''.onmicrosoft.com'''", paste the previously copied Application ID into "Client ID" field and paste previously copied KEY into "Client secret" and click "Ok"
[[File:UMSConfiguratorSharepointOrganizationSettingsEditWindow.png|none|thumb|600x600px]]
You are now all set to use the new MS Graph integration.


==Permissions overview==
==Permissions overview==
<br />
 
===Microsoft Graph===
{| class="wikitable sortable"
{| class="wikitable sortable"
|+Default permissions
|+Default permissions
Line 1,302: Line 112:
!Used for
!Used for
!Used by
!Used by
|-
|Mail.Send
|Application
|Microsoft Graph
|Send mail from UMS programs
|All programs if selected under mail accounts
|-
|-
|User.ReadWrite.All
|User.ReadWrite.All
Line 1,345: Line 161:
|Microsoft Graph
|Microsoft Graph
|Used to provision OneDrive for users
|Used to provision OneDrive for users
|Live_at_edu.exe
|-
|Mail.Send
|Application
|Microsoft Graph
|Used when sending mail from All UMS programs. If this is selected under service accounts and mail accounts
|
|-
|User.EnableDisableAccount.All
|Application
|Microsoft Graph
|Used for enabling and disabling users. Only applicable if not using Azure/Entra AD Sync
|Live_at_edu.exe
|Live_at_edu.exe
|}
|}
===Teams sync permissions===
{| class="wikitable sortable"
{| class="wikitable sortable"
|+Teams sync permissions
|+
!Permission name
!Permission name
!Permission type
!Permission type
Line 1,397: Line 227:
|Live_at_edu.exe
|Live_at_edu.exe
|}
|}
__FORCETOC__
 
===Change Password when using Azure AD as login===
{| class="wikitable sortable"
|+
!Permission name
!Permission type
!API
!Used for
!Used by
|-
|Directory.AccessAsUser.All
|Delegated
|Microsoft Graph
|
|UMS Web
|-
|User.Read
|Delegated
|Microsoft Graph
|
|UMS Web
|}
See also [[Password Change Azure AD]]
 
===Password Sync===
Go to "Microsoft Entra ID" -> "Roles and Administrators"
 
Note that this is not a graph permission.
{| class="wikitable"
|+
!Rolename
!Permission type
!API
!Used for
!Used by
|-
|Password Administrator
|ServicePrincipal
|Microsoft Graph
|Reset password for Users
|Password_Sync
|}
 
===SharePoint===
{| class="wikitable sortable"
|+
!Permission name
!Permission type
!API
!Used for
!Used by
|-
|Sites.FullControl.All
|Application
|Microsoft Graph
|Have full control of all site collections
|Office365_SP_OneNote.exe
|-
|User.ReadWrite.All
|Application
|Microsoft Graph
|Read and write user profiles
|Office365_SP_OneNote.exe
|}
 
===OneNote===
{| class="wikitable sortable"
|+
!Permission name
!Permission type
!API
!Used for
!Used by
|-
|Notes.ReadWrite.All
|Application
|Microsoft Graph
|
|Office365_SP_OneNote.exe
|}<br />
===Password Administrator===
 
 
To Add Password administrator roles. Click '''Roles and administrator'''
[[File:Passwordd.png|thumb|1167x1167px|none]]
 
*Click Add Assignments and Search for App Registrations name and Click Add.
 
[[File:Password1.png|1167x1167px|thumb|none]]
<br />
 
==FAQ :==
If you get this message when trying to reset password in Office365 using MS Graph Api. This is because user is global Admin and therefore MS graph can not Reset password
[[File:Passwordsync.png|none|thumb|1245x1245px]]The error message below, could indicate a user has roles in Azure/Entra meaning Graph cannot disable them, if the error still persists after removing all roles, it may be the result of Graph not having sufficient permissions, please make sure Graph has the User.EnableDisableAccount.All permission.
 
(DisableUsers) Error. Could not disable user - User - The user could have roles that does not allow this action. Insufficient privileges to complete the operation.

Latest revision as of 08:32, 5 November 2024

MS graph permissions are required by these UMS modules

  • LiveAtEdu
  • OneNote
  • SharePoint
  • Office 365 Time blocks
  • MS Teams

Creating App Registration

Go to Azure Portal and login with you admin account.

When logged in go to Azure Active Directory:


Go to App registrations


Click on New application registration


Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"

You will return to previous screen, here click "your new app"


Click "Certificates & secrets"

Click "New Client Secret"

Enter a "Description" and set "Expires" to the interval that suits your needs.

Click "Add"


Copy "Value ID" We will use this later

!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.


Copy the "VALUE Key into "UMS Configurator" field Client Secret


Copy the "Directory Tenant ID " into "UMS Configurator" Field Tenant ID

Copy the "Appplication Client ID " into "UMS Configurator" Field Client ID


Click "Api permissions"

Click "Add a permission"

Setup SharePoint, OneNote Class Notebook or Onedrive provisioning

You do not need to fill out the settings in UMS (This was done in the above text) when using OneDrive provisioning. Only the "Add SharePoint App permissions" chapter.

In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"

Choose your SharePoint organization setting and click "Edit..."

Input your "Tenant Name" ex. "cortenso.onmicrosoft.com", insert Application ID into "Client ID" field, insert "Client secret" and "Tenant ID" and click "Ok"

Add SharePoint App permissions

  • Go to https://<tenantname>-admin.sharepoint.com/_layouts/15/appinv.aspx
  • Enter app Id (AKA Client Id) and press lookup.
  • Copy paste the below text in Permission Request XML and save
<AppPermissionRequests AllowAppOnlyPolicy="true">
 <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
 <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" />
</AppPermissionRequests>
Enter anything you like into Title

Open newest installed Powershell on the server running the program

Must use Powershell 5 

#Enable TLS 1.2 for Powershell commands
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12  

$NugetPackageProvider = Get-PackageProvider -ListAvailable -Name NuGet -ErrorAction SilentlyContinue
if (!$NugetPackageProvider) {Install-PackageProvider -Name NuGet -Scope AllUsers -Force}

Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force
Import-Module Microsoft.Online.SharePoint.PowerShell
Connect-SPOService -Url https://<tenantname>-admin.sharepoint.com
Set-SPOTenant -DisableCustomAppAuthentication $false

Remove SharePoint App permissions

If you want to remove existing app permission use this link. Maybe you are not using the module anymore. 

https://<tenantname>-admin.sharepoint.com/_layouts/15/TA_AllAppPrincipals.aspx

Permissions overview

Microsoft Graph

Default permissions
Permission name Permission type API Used for Used by
Mail.Send Application Microsoft Graph Send mail from UMS programs All programs if selected under mail accounts
User.ReadWrite.All Application Microsoft Graph Setting attributes on the user in Office 365 Live_at_edu.exe
Group.ReadWrite.All Application Microsoft Graph Setting group attributes on Office 365 groups Live_at_edu.exe
GroupMember.ReadWrite.All Application Microsoft Graph Manage GroupMembers in Office 365 Live_at_edu.exe
Directory.ReadWrite.All Application Microsoft Graph Setting attributes on the user in Azure Active Directory Live_at_edu.exe
MailboxSettings.ReadWrite Application Microsoft Graph Used to set mailbox settings in Office 365.

Used to get/create categories

Live_at_edu.exe

Skemabrikker.exe

Calendars.ReadWrite Application Microsoft Graph Used to allow UMS to sync calendar events to Office 365 Skemabrikker.exe
Files.ReadWrite.All Application Microsoft Graph Used to provision OneDrive for users Live_at_edu.exe
Mail.Send Application Microsoft Graph Used when sending mail from All UMS programs. If this is selected under service accounts and mail accounts
User.EnableDisableAccount.All Application Microsoft Graph Used for enabling and disabling users. Only applicable if not using Azure/Entra AD Sync Live_at_edu.exe

Teams sync permissions

Permission name Permission type API Used for Used by
EduRoster.ReadWrite.All Application Microsoft Graph Allows the UMS to handle users on roster Live_at_edu.exe
Member.Read.Hidden Application Microsoft Graph Allows the UMS to handle users on roster Live_at_edu.exe
TeamMember.ReadWrite.All Application Microsoft Graph Used to add or remove users from Team Live_at_edu.exe
TeamsTab.ReadWrite.All Application Microsoft Graph Used to create tabs in teams Live_at_edu.exe
TeamsAppInstallation.ReadForTeam.All Application Microsoft Graph Used to install app in teams Live_at_edu.exe
Team.Create Application Microsoft Graph Used to create Teams Live_at_edu.exe
Team.ReadBasic.All Application Microsoft Graph Used to read teams Live_at_edu.exe

Change Password when using Azure AD as login

Permission name Permission type API Used for Used by
Directory.AccessAsUser.All Delegated Microsoft Graph UMS Web
User.Read Delegated Microsoft Graph UMS Web

See also Password Change Azure AD

Password Sync

Go to "Microsoft Entra ID" -> "Roles and Administrators"

Note that this is not a graph permission.

Rolename Permission type API Used for Used by
Password Administrator ServicePrincipal Microsoft Graph Reset password for Users Password_Sync

SharePoint

Permission name Permission type API Used for Used by
Sites.FullControl.All Application Microsoft Graph Have full control of all site collections Office365_SP_OneNote.exe
User.ReadWrite.All Application Microsoft Graph Read and write user profiles Office365_SP_OneNote.exe

OneNote

Permission name Permission type API Used for Used by
Notes.ReadWrite.All Application Microsoft Graph Office365_SP_OneNote.exe


Password Administrator

To Add Password administrator roles. Click Roles and administrator

  • Click Add Assignments and Search for App Registrations name and Click Add.


FAQ :

If you get this message when trying to reset password in Office365 using MS Graph Api. This is because user is global Admin and therefore MS graph can not Reset password

The error message below, could indicate a user has roles in Azure/Entra meaning Graph cannot disable them, if the error still persists after removing all roles, it may be the result of Graph not having sufficient permissions, please make sure Graph has the User.EnableDisableAccount.All permission.

(DisableUsers) Error. Could not disable user - User - The user could have roles that does not allow this action. Insufficient privileges to complete the operation.

Retrieved from "http://wiki.inlogic.dk/index.php?title=MSGraphPermissions&oldid=4939"