MSGraphPermissions: Difference between revisions
No edit summary |
|||
(49 intermediate revisions by 8 users not shown) | |||
Line 1: | Line 1: | ||
'''MS graph permissions | '''MS graph permissions are required by these UMS modules''' | ||
''' | *'''LiveAtEdu''' | ||
*'''OneNote''' | |||
*'''SharePoint''' | |||
*'''Office 365 Time blocks''' | |||
*'''MS Teams''' | |||
==Creating App Registration== | ==Creating App Registration== | ||
Go to [http://portal.azure.com Azure Portal] and login with you admin account. | |||
When logged in go to Azure Active Directory:[[File:Graph1.jpg|left|thumb|832x832px]] | |||
When logged in go to Azure Active Directory: | |||
[[File:Graph1.jpg|left|thumb|832x832px]] | |||
Line 26: | Line 23: | ||
Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create" | Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create" | ||
[[File:Graph43.jpg|none|thumb|913x913px]] | [[File:Graph43.jpg|none|thumb|913x913px]] | ||
You will return to previous screen, here click "your new app" | You will return to previous screen, here click "your new app" | ||
[[File:Grahp5.jpg|none|thumb|905x905px]] | [[File:Grahp5.jpg|none|thumb|905x905px]] | ||
Line 40: | Line 37: | ||
Click "Add" | Click "Add" | ||
[[File:Graph6.jpg|none|thumb|908x908px]] | [[File:Graph6.jpg|none|thumb|908x908px]] | ||
Line 45: | Line 43: | ||
'''!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.''' [[File:Graph7.png|none|thumb|790x790px]] | '''!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.''' [[File:Graph7.png|none|thumb|790x790px]] | ||
Line 63: | Line 62: | ||
[[File:Graph8.png|none|thumb|780x780px]] | [[File:Graph8.png|none|thumb|780x780px]] | ||
==Setup | ==Setup SharePoint, OneNote Class Notebook or Onedrive provisioning== | ||
'''You do not need to fill out the settings in UMS (This was done in the above text) when using OneDrive provisioning.''' Only the "Add SharePoint App permissions" chapter. | |||
In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings" | In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings" | ||
[[File:UMSConfiguratorSharepointOrganizationSettings.png|none|thumb|600x600px]] | [[File:UMSConfiguratorSharepointOrganizationSettings.png|none|thumb|600x600px]] | ||
Choose your SharePoint organization setting and click "Edit..." | Choose your SharePoint organization setting and click "Edit..." | ||
[[File:UMSConfiguratorSharepointOrganizationSettingsEdit.png|none|thumb|600x600px]] | [[File:UMSConfiguratorSharepointOrganizationSettingsEdit.png|none|thumb|600x600px]] | ||
<span id="SharePointOrganizationSettings">Input</span> your "Tenant Name" ex. "cortenso'''.onmicrosoft.com'''", | <span id="SharePointOrganizationSettings">Input</span> your "Tenant Name" ex. "cortenso'''.onmicrosoft.com'''", insert Application ID into "Client ID" field, insert "Client secret" and "Tenant ID" and click "Ok" | ||
[[File: | [[File:SharepointOrganization SettingsEdit.jpg|none|thumb|585x585px]] | ||
===Add SharePoint App permissions=== | |||
*Go to https://'''<tenantname>'''-admin.sharepoint.com/_layouts/15/appinv.aspx | |||
*Enter app Id (AKA Client Id) and press lookup. | |||
*Copy paste the below text in Permission Request XML and save | |||
<AppPermissionRequests AllowAppOnlyPolicy="true"> | |||
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> | |||
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" /> | |||
</AppPermissionRequests> | |||
[[File:SharePoint Organization Settings App permission.jpg|none|thumb|389x389px|Enter anything you like into Title]] | |||
====Open newest installed Powershell on the server running the program==== | |||
'''Must use Powershell 5''' | |||
#Enable TLS 1.2 for Powershell commands | |||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |||
$NugetPackageProvider = Get-PackageProvider -ListAvailable -Name NuGet -ErrorAction SilentlyContinue | |||
if (!$NugetPackageProvider) {Install-PackageProvider -Name NuGet -Scope AllUsers -Force} | |||
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force | |||
Import-Module Microsoft.Online.SharePoint.PowerShell | |||
Connect-SPOService -Url https://'''<tenantname>'''-admin.sharepoint.com | |||
Set-SPOTenant -DisableCustomAppAuthentication $false | |||
===Remove SharePoint App permissions=== | |||
If you want to remove existing app permission use this link. Maybe you are not using the module anymore. | |||
https://'''<tenantname>'''-admin.sharepoint.com/_layouts/15/TA_AllAppPrincipals.aspx | |||
==Permissions overview== | ==Permissions overview== | ||
Line 82: | Line 112: | ||
!Used for | !Used for | ||
!Used by | !Used by | ||
|- | |||
|Mail.Send | |||
|Application | |||
|Microsoft Graph | |||
|Send mail from UMS programs | |||
|All programs if selected under mail accounts | |||
|- | |- | ||
|User.ReadWrite.All | |User.ReadWrite.All | ||
Line 125: | Line 161: | ||
|Microsoft Graph | |Microsoft Graph | ||
|Used to provision OneDrive for users | |Used to provision OneDrive for users | ||
|Live_at_edu.exe | |||
|- | |||
|Mail.Send | |||
|Application | |||
|Microsoft Graph | |||
|Used when sending mail from All UMS programs. If this is selected under service accounts and mail accounts | |||
| | |||
|- | |||
|User.EnableDisableAccount.All | |||
|Application | |||
|Microsoft Graph | |||
|Used for enabling and disabling users. Only applicable if not using Azure/Entra AD Sync | |||
|Live_at_edu.exe | |Live_at_edu.exe | ||
|} | |} | ||
===Teams sync permissions=== | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|+ | |+ | ||
!Permission name | !Permission name | ||
!Permission type | !Permission type | ||
Line 178: | Line 228: | ||
|} | |} | ||
=== | ===Change Password when using Azure AD as login=== | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|+ | |+ | ||
!Permission name | !Permission name | ||
!Permission type | !Permission type | ||
Line 187: | Line 237: | ||
!Used by | !Used by | ||
|- | |- | ||
| | |Directory.AccessAsUser.All | ||
| | |Delegated | ||
|Microsoft Graph | |||
| | |||
|UMS Web | |||
|- | |||
|User.Read | |||
|Delegated | |||
|Microsoft Graph | |Microsoft Graph | ||
| | | | ||
| | |UMS Web | ||
|} | |||
See also [[Password Change Azure AD]] | |||
===Password Sync=== | |||
Go to "Microsoft Entra ID" -> "Roles and Administrators" | |||
Note that this is not a graph permission. | |||
{| class="wikitable" | |||
|+ | |||
!Rolename | |||
!Permission type | |||
!API | |||
!Used for | |||
!Used by | |||
|- | |- | ||
| | |Password Administrator | ||
| | |ServicePrincipal | ||
|Microsoft Graph | |Microsoft Graph | ||
| | |Reset password for Users | ||
| | |Password_Sync | ||
|} | |||
===SharePoint=== | |||
{| class="wikitable sortable" | |||
|+ | |||
!Permission name | |||
!Permission type | |||
!API | |||
!Used for | |||
!Used by | |||
|- | |- | ||
|Sites. | |Sites.FullControl.All | ||
|Application | |Application | ||
|Microsoft Graph | |Microsoft Graph | ||
| | |Have full control of all site collections | ||
|Office365_SP_OneNote.exe | |Office365_SP_OneNote.exe | ||
|- | |- | ||
Line 214: | Line 294: | ||
===OneNote=== | ===OneNote=== | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|+ | |+ | ||
!Permission name | !Permission name | ||
!Permission type | !Permission type | ||
Line 227: | Line 307: | ||
|Office365_SP_OneNote.exe | |Office365_SP_OneNote.exe | ||
|}<br /> | |}<br /> | ||
===Password Administrator=== | ===Password Administrator=== | ||
To Add Password administrator roles. Click '''Roles and administrator''' | To Add Password administrator roles. Click '''Roles and administrator''' | ||
[[File:Passwordd.png | [[File:Passwordd.png|thumb|1167x1167px|none]] | ||
*Click Add Assignments and Search for App Registrations name and Click Add. | |||
[[File:Password1.png|1167x1167px|thumb|none]] | |||
[[File:Password1.png | |||
<br /> | <br /> | ||
==FAQ :== | |||
If you get this message when trying to reset password in Office365 using MS Graph Api. This is because user is global Admin and therefore MS graph can not Reset password | |||
[[File:Passwordsync.png|none|thumb|1245x1245px]]The error message below, could indicate a user has roles in Azure/Entra meaning Graph cannot disable them, if the error still persists after removing all roles, it may be the result of Graph not having sufficient permissions, please make sure Graph has the User.EnableDisableAccount.All permission. | |||
(DisableUsers) Error. Could not disable user - User - The user could have roles that does not allow this action. Insufficient privileges to complete the operation. |
Latest revision as of 08:32, 5 November 2024
MS graph permissions are required by these UMS modules
- LiveAtEdu
- OneNote
- SharePoint
- Office 365 Time blocks
- MS Teams
Creating App Registration
Go to Azure Portal and login with you admin account.
When logged in go to Azure Active Directory:
Go to App registrations
Click on New application registration
Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"
You will return to previous screen, here click "your new app"
Click "Certificates & secrets"
Click "New Client Secret"
Enter a "Description" and set "Expires" to the interval that suits your needs.
Click "Add"
Copy "Value ID" We will use this later
!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.
Copy the "VALUE Key into "UMS Configurator" field Client Secret
Copy the "Directory Tenant ID " into "UMS Configurator" Field Tenant ID
Copy the "Appplication Client ID " into "UMS Configurator" Field Client ID
Click "Api permissions"
Click "Add a permission"
You do not need to fill out the settings in UMS (This was done in the above text) when using OneDrive provisioning. Only the "Add SharePoint App permissions" chapter.
In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"
Choose your SharePoint organization setting and click "Edit..."
your "Tenant Name" ex. "cortenso.onmicrosoft.com", insert Application ID into "Client ID" field, insert "Client secret" and "Tenant ID" and click "Ok"
- Go to https://<tenantname>-admin.sharepoint.com/_layouts/15/appinv.aspx
- Enter app Id (AKA Client Id) and press lookup.
- Copy paste the below text in Permission Request XML and save
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> <AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="FullControl" /> </AppPermissionRequests>
Open newest installed Powershell on the server running the program
Must use Powershell 5
#Enable TLS 1.2 for Powershell commands [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $NugetPackageProvider = Get-PackageProvider -ListAvailable -Name NuGet -ErrorAction SilentlyContinue if (!$NugetPackageProvider) {Install-PackageProvider -Name NuGet -Scope AllUsers -Force} Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force Import-Module Microsoft.Online.SharePoint.PowerShell Connect-SPOService -Url https://<tenantname>-admin.sharepoint.com Set-SPOTenant -DisableCustomAppAuthentication $false
If you want to remove existing app permission use this link. Maybe you are not using the module anymore.
https://<tenantname>-admin.sharepoint.com/_layouts/15/TA_AllAppPrincipals.aspx
Permissions overview
Microsoft Graph
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
Mail.Send | Application | Microsoft Graph | Send mail from UMS programs | All programs if selected under mail accounts |
User.ReadWrite.All | Application | Microsoft Graph | Setting attributes on the user in Office 365 | Live_at_edu.exe |
Group.ReadWrite.All | Application | Microsoft Graph | Setting group attributes on Office 365 groups | Live_at_edu.exe |
GroupMember.ReadWrite.All | Application | Microsoft Graph | Manage GroupMembers in Office 365 | Live_at_edu.exe |
Directory.ReadWrite.All | Application | Microsoft Graph | Setting attributes on the user in Azure Active Directory | Live_at_edu.exe |
MailboxSettings.ReadWrite | Application | Microsoft Graph | Used to set mailbox settings in Office 365.
Used to get/create categories |
Live_at_edu.exe
Skemabrikker.exe |
Calendars.ReadWrite | Application | Microsoft Graph | Used to allow UMS to sync calendar events to Office 365 | Skemabrikker.exe |
Files.ReadWrite.All | Application | Microsoft Graph | Used to provision OneDrive for users | Live_at_edu.exe |
Mail.Send | Application | Microsoft Graph | Used when sending mail from All UMS programs. If this is selected under service accounts and mail accounts | |
User.EnableDisableAccount.All | Application | Microsoft Graph | Used for enabling and disabling users. Only applicable if not using Azure/Entra AD Sync | Live_at_edu.exe |
Teams sync permissions
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
EduRoster.ReadWrite.All | Application | Microsoft Graph | Allows the UMS to handle users on roster | Live_at_edu.exe |
Member.Read.Hidden | Application | Microsoft Graph | Allows the UMS to handle users on roster | Live_at_edu.exe |
TeamMember.ReadWrite.All | Application | Microsoft Graph | Used to add or remove users from Team | Live_at_edu.exe |
TeamsTab.ReadWrite.All | Application | Microsoft Graph | Used to create tabs in teams | Live_at_edu.exe |
TeamsAppInstallation.ReadForTeam.All | Application | Microsoft Graph | Used to install app in teams | Live_at_edu.exe |
Team.Create | Application | Microsoft Graph | Used to create Teams | Live_at_edu.exe |
Team.ReadBasic.All | Application | Microsoft Graph | Used to read teams | Live_at_edu.exe |
Change Password when using Azure AD as login
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
Directory.AccessAsUser.All | Delegated | Microsoft Graph | UMS Web | |
User.Read | Delegated | Microsoft Graph | UMS Web |
See also Password Change Azure AD
Password Sync
Go to "Microsoft Entra ID" -> "Roles and Administrators"
Note that this is not a graph permission.
Rolename | Permission type | API | Used for | Used by |
---|---|---|---|---|
Password Administrator | ServicePrincipal | Microsoft Graph | Reset password for Users | Password_Sync |
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
Sites.FullControl.All | Application | Microsoft Graph | Have full control of all site collections | Office365_SP_OneNote.exe |
User.ReadWrite.All | Application | Microsoft Graph | Read and write user profiles | Office365_SP_OneNote.exe |
OneNote
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
Notes.ReadWrite.All | Application | Microsoft Graph | Office365_SP_OneNote.exe |
Password Administrator
To Add Password administrator roles. Click Roles and administrator
- Click Add Assignments and Search for App Registrations name and Click Add.
FAQ :
If you get this message when trying to reset password in Office365 using MS Graph Api. This is because user is global Admin and therefore MS graph can not Reset password
The error message below, could indicate a user has roles in Azure/Entra meaning Graph cannot disable them, if the error still persists after removing all roles, it may be the result of Graph not having sufficient permissions, please make sure Graph has the User.EnableDisableAccount.All permission.
(DisableUsers) Error. Could not disable user - User - The user could have roles that does not allow this action. Insufficient privileges to complete the operation.