MSGraphPermissions: Difference between revisions

← Older edit Newer edit →

VisualWikitext

Revision as of 07:13, 23 June 2021

MS graph permissions is a UMS backend requirement from version 8.5.203 which was released in June 2021"

MS graph permissions are required by these UMS modules (LiveAtEdu,OneNote, Sharepoint and MS Teams)

Creating App Registration

Go to Azure Portal and login with you admin account( the same UMS uses).

!!! ATTENTION !!! use service account that UMS uses

When logged in go to Azure Active Directory:

Go to App registrations

Click on New application registration

Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"

You will return to previous screen, here click "your new app"

Click "Certificates & secrets"

Click "New Client Secret"

Enter a "Description" and set "Expires" to the interval that suits your needs.

Click "Add"

Copy "Value ID" We will use this later

!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.

Copy the "VALUE Key into "UMS Configurator" field Client Secret

Copy the "Directory Tenant ID " into "UMS Configurator" Field Tenant ID

Copy the "Appplication Client ID " into "UMS Configurator" Field Client ID

Click "Api permissions"

Click "Add a permission"

API og tilladelser

Microsoft Graph (155)

Azure Active Directory Graph (Applications Permissions)

Microsoft Graph (155)

Agreement.Read.All	Delegated	Read all terms of use agreements
Agreement.ReadWrite.All	Delegated	Read and write all terms of use agreements
AgreementAcceptance.Read	Delegated	Read user terms of use acceptance statuses
AgreementAcceptance.Read.All	Delegated	Read terms of use acceptance statuses that user can access
Application.ReadWrite.OwnedBy	Application	Manage apps that this app creates or owns
AuditLog.Read.All	Delegated	Read audit log data
AuditLog.Read.All	Application	Read all audit log data
Bookings.Manage.All	Delegated	Manage bookings information
Bookings.Read.All	Delegated	Read bookings information
Bookings.ReadWrite.All	Delegated	Read and write bookings information
BookingsAppointment.ReadWrite.All	Delegated	Read and write booking appointments
Calendars.Read	Delegated	Read user calendars
Calendars.Read	Application	Read calendars in all mailboxes
Calendars.Read.Shared	Delegated	Read user and shared calendars
Calendars.ReadWrite	Delegated	Have full access to user calendars
Calendars.ReadWrite	Application	Read and write calendars in all mailboxes
Calendars.ReadWrite.Shared	Delegated	Read and write user and shared calendars
Calls.AccessMedia.All	Application	Access media streams in a call as an app
Calls.Initiate.All	Application	Initiate outgoing 1 to 1 calls from the app
Calls.InitiateGroupCall.All	Application	Initiate outgoing group calls from the app
Calls.JoinGroupCall.All	Application	Join group calls and meetings as an app
Calls.JoinGroupCallAsGuest.All	Application	Join group calls and meetings as a guest
Contacts.Read	Delegated	Read user contacts
Contacts.Read	Application	Read contacts in all mailboxes
Contacts.Read.Shared	Delegated	Read user and shared contacts
Contacts.ReadWrite	Delegated	Have full access to user contacts
Contacts.ReadWrite	Application	Read and write contacts in all mailboxes
Contacts.ReadWrite.Shared	Delegated	Read and write user and shared contacts
Device.Command	Delegated	Communicate with user devices
Device.Read	Delegated	Read user devices
Device.ReadWrite.All	Application	Read and write devices
DeviceManagementApps.Read.All	Delegated	Read Microsoft Intune apps
DeviceManagementApps.ReadWrite.All	Delegated	Read and write Microsoft Intune apps
DeviceManagementConfiguration.Read.All	Delegated	Read Microsoft Intune Device Configuration and Policies
DeviceManagementConfiguration.ReadWrite.All	Delegated	Read and write Microsoft Intune Device Configuration and Policies
DeviceManagementManagedDevices.PrivilegedOperations.All	Delegated	Perform user-impacting remote actions on Microsoft Intune devices
DeviceManagementManagedDevices.Read.All	Delegated	Read Microsoft Intune devices
DeviceManagementManagedDevices.ReadWrite.All	Delegated	Read and write Microsoft Intune devices
DeviceManagementRBAC.Read.All	Delegated	Read Microsoft Intune RBAC settings
DeviceManagementRBAC.ReadWrite.All	Delegated	Read and write Microsoft Intune RBAC settings
DeviceManagementServiceConfig.Read.All	Delegated	Read Microsoft Intune configuration
DeviceManagementServiceConfig.ReadWrite.All	Delegated	Read and write Microsoft Intune configuration
Directory.AccessAsUser.All	Delegated	Access directory as the signed in user
Directory.Read.All	Delegated	Read directory data
Directory.Read.All	Application	Read directory data
Directory.ReadWrite.All	Delegated	Read and write directory data
Directory.ReadWrite.All	Application	Read and write directory data
Domain.ReadWrite.All	Application	Read and write domains
EAS.AccessAsUser.All	Delegated	Access mailboxes via Exchange ActiveSync
EduAdministration.Read	Delegated	Read education app settings
EduAdministration.Read.All	Application	Read Education app settings
EduAdministration.ReadWrite	Delegated	Manage education app settings
EduAdministration.ReadWrite.All	Application	Manage education app settings
EduAssignments.Read	Delegated	Read users' class assignments and their grades
EduAssignments.Read.All	Application	Read class assignments with grades
EduAssignments.ReadBasic	Delegated	Read users' class assignments without grades
EduAssignments.ReadBasic.All	Application	Read class assignments without grades
EduAssignments.ReadWrite	Delegated	Read and write users' class assignments and their grades
EduAssignments.ReadWrite.All	Application	Read and write class assignments with grades
EduAssignments.ReadWriteBasic	Delegated	Read and write users' class assignments without grades
EduAssignments.ReadWriteBasic.All	Application	Read and write class assignments without grades
EduRoster.Read	Delegated	Read users' view of the roster
EduRoster.Read.All	Application	Read the organization's roster
EduRoster.ReadBasic	Delegated	Read a limited subset of users' view of the roster
EduRoster.ReadBasic.All	Application	Read a limited subset of the organization's roster
EduRoster.ReadWrite	Delegated	Read and write users' view of the roster
EduRoster.ReadWrite.All	Application	Read and write the organization's roster
email	Delegated	View users' email address
Files.Read	Delegated	Read user files
Files.Read.All	Delegated	Read all files that user can access
Files.Read.All	Application	Read files in all site collections
Files.Read.Selected	Delegated	Read files that the user selects (preview)
Files.ReadWrite	Delegated	Have full access to user files
Files.ReadWrite.All	Delegated	Have full access to all files user can access
Files.ReadWrite.All	Application	Read and write files in all site collections
Files.ReadWrite.AppFolder	Delegated	Have full access to the application's folder (preview)
Files.ReadWrite.Selected	Delegated	Read and write files that the user selects (preview)
Financials.ReadWrite.All	Delegated	Read and write financials data
Group.Read.All	Delegated	Read all groups
Group.Read.All	Application	Read all groups
Group.ReadWrite.All	Delegated	Read and write all groups
Group.ReadWrite.All	Application	Read and write all groups
IdentityProvider.Read.All	Delegated	Read identity providers
IdentityProvider.ReadWrite.All	Delegated	Read and write identity providers
IdentityRiskEvent.Read.All	Delegated	Read identity risk event information
IdentityRiskEvent.Read.All	Application	Read all identity risk event information
Mail.Read	Delegated	Read user mail
Mail.Read	Application	Read mail in all mailboxes
Mail.Read.Shared	Delegated	Read user and shared mail
Mail.ReadWrite	Delegated	Read and write access to user mail
Mail.ReadWrite	Application	Read and write mail in all mailboxes
Mail.ReadWrite.Shared	Delegated	Read and write user and shared mail
Mail.Send	Delegated	Send mail as a user
Mail.Send	Application	Send mail as any user
Mail.Send.Shared	Delegated	Send mail on behalf of others
MailboxSettings.Read	Delegated	Read user mailbox settings
MailboxSettings.Read	Application	Read all user mailbox settings
MailboxSettings.ReadWrite	Delegated	Read and write user mailbox settings
MailboxSettings.ReadWrite	Application	Read and write all user mailbox settings
Member.Read.Hidden	Delegated	Read hidden memberships
Member.Read.Hidden	Application	Read all hidden memberships
Notes.Create	Delegated	Create user OneNote notebooks
Notes.Read	Delegated	Read user OneNote notebooks
Notes.Read.All	Delegated	Read all OneNote notebooks that user can access
Notes.Read.All	Application	Read all OneNote notebooks
Notes.ReadWrite	Delegated	Read and write user OneNote notebooks
Notes.ReadWrite.All	Delegated	Read and write all OneNote notebooks that user can access
Notes.ReadWrite.All	Application	Read and write all OneNote notebooks
Notes.ReadWrite.CreatedByApp	Delegated	Limited notebook access (deprecated)
offline_access	Delegated	Maintain access to data you have given it access to
OnlineMeetings.Read.All	Application	Read online meeting details
OnlineMeetings.ReadWrite.All	Application	Read and create online meetings
openid	Delegated	Sign users in
People.Read	Delegated	Read users' relevant people lists
People.Read.All	Delegated	Read all users' relevant people lists
People.Read.All	Application	Read all users' relevant people lists
PrivilegedAccess.ReadWrite.AzureAD	Delegated	Read and write privileged access to Azure AD
PrivilegedAccess.ReadWrite.AzureResources	Delegated	Read and write privileged access to Azure resources
profile	Delegated	View users' basic profile
Reports.Read.All	Delegated	Read all usage reports
Reports.Read.All	Application	Read all usage reports
SecurityEvents.Read.All	Delegated	Read your organization’s security events
SecurityEvents.Read.All	Application	Read your organization’s security events
SecurityEvents.ReadWrite.All	Delegated	Read and update your organization’s security events
SecurityEvents.ReadWrite.All	Application	Read and update your organization’s security events
Sites.FullControl.All	Delegated	Have full control of all site collections
Sites.FullControl.All	Application	Have full control of all site collections
Sites.Manage.All	Delegated	Create, edit, and delete items and lists in all site collections
Sites.Manage.All	Application	Create, edit, and delete items and lists in all site collections
Sites.Read.All	Delegated	Read items in all site collections
Sites.Read.All	Application	Read items in all site collections
Sites.ReadWrite.All	Delegated	Edit or delete items in all site collections
Sites.ReadWrite.All	Application	Read and write items in all site collections
Subscription.Read.All	Delegated	Read all webhook subscriptions
Tasks.Read	Delegated	Read user's tasks and task lists
Tasks.Read.Shared	Delegated	Read user and shared tasks
Tasks.ReadWrite	Delegated	Create, read, update, and delete user’s tasks and task lists
Tasks.ReadWrite.Shared	Delegated	Read and write user and shared tasks
TeamsApp.ReadWrite.All	Application	Manage all users' Teams apps
TeamsAppInstallation.ReadWriteForTeam.All	Application	Manage Teams apps for all teams
TeamsAppInstallation.ReadWriteForUser.All	Application	Manage Teams apps for all users
TeamsAppInstallation.ReadWriteSelfForTeam.All	Application	Allow the Teams app to manage itself for all teams
TeamSettings.ReadWrite.All	Application	Read and change all teams' settings
TeamsTab.ReadWrite.All	Application	Read and write tabs in Microsoft Teams.
User.Invite.All	Delegated	Invite guest users to the organization
User.Invite.All	Application	Invite guest users to the organization
User.Read	Delegated	Sign in and read user profile
User.Read.All	Delegated	Read all users' full profiles
User.Read.All	Application	Read all users' full profiles
User.ReadBasic.All	Delegated	Read all users' basic profiles
User.ReadWrite	Delegated	Read and write access to user profile
User.ReadWrite.All	Delegated	Read and write all users' full profiles
User.ReadWrite.All	Application	Read and write all users' full profiles
UserActivity.ReadWrite.CreatedByApp	Delegated	Read and write app activity to users' activity feed
UserTimelineActivity.Write.CreatedByApp	Delegated	Write app activity to users' timeline

OneNote 8

Notes.Create	Delegated	Create pages in OneNote notebooks
Notes.Read	Delegated	View OneNote notebooks
Notes.Read.All	Application	View notes for all users
Notes.Read.All	Delegated	View OneNote notebooks in your organization
Notes.ReadWrite	Delegated	View and modify OneNote notebooks
Notes.ReadWrite.All	Application	View and modify notes for all users
Notes.ReadWrite.All	Delegated	View and modify OneNote notebooks in your organization
Notes.ReadWrite.CreatedByApp	Delegated	Application-only OneNote notebook access

SharePoint 19

AllSites.FullControl	Delegated	Have full control of all site collections
AllSites.Manage	Delegated	Read and write items and lists in all site collections
AllSites.Read	Delegated	Read items in all site collections
AllSites.Write	Delegated	Read and write items in all site collections
MyFiles.Read	Delegated	Read user files
MyFiles.Write	Delegated	Read and write user files
Sites.FullControl.All	Application	Have full control of all site collections
Sites.Manage.All	Application	Read and write items and lists in all site collections
Sites.Read.All	Application	Read items in all site collections
Sites.ReadWrite.All	Application	Read and write items in all site collections
Sites.Search.All	Delegated	Run search queries as a user
TermStore.Read.All	Application	Read managed metadata
TermStore.Read.All	Delegated	Read managed metadata
TermStore.ReadWrite.All	Application	Read and write managed metadata
TermStore.ReadWrite.All	Delegated	Read and write managed metadata
User.Read.All	Application	Read user profiles
User.Read.All	Delegated	Read user profiles
User.ReadWrite.All	Application	Read and write user profiles
User.ReadWrite.All	Delegated	Read and write user profiles

Setup UMS to use Application just Created

In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"

Choose your SharePoint organization setting and click "Edit..."

Input your "Tenant Name" ex. "cortenso.onmicrosoft.com", paste the previously copied Application ID into "Client ID" field and paste previously copied KEY into "Client secret" and click "Ok"

File:UMSConfiguratorSharepointOrganizationSettingsEditWindow.png

You are now all set to use the new MS Graph integration.

Permissions overview

Default permissions
Permission name	Permission type	API	Used for	Used by
User.ReadWrite.All	Application	Microsoft Graph	Setting attributes on the user in Office 365	Live_at_edu.exe
Group.ReadWrite.All	Application	Microsoft Graph	Setting group attributes on Office 365 groups	Live_at_edu.exe
GroupMember.ReadWrite.All	Application	Microsoft Graph	Manage GroupMembers in Office 365	Live_at_edu.exe
Directory.ReadWrite.All	Application	Microsoft Graph	Setting attributes on the user in Azure Active Directory	Live_at_edu.exe
MailboxSettings.ReadWrite	Application	Microsoft Graph	Used to set mailbox settings in Office 365. Used to get/create categories	Live_at_edu.exe Skemabrikker.exe
Calendars.ReadWrite	Application	Microsoft Graph	Used to allow UMS to sync calendar events to Office 365	Skemabrikker.exe
Files.ReadWrite.All	Application	Microsoft Graph	Used to provision OneDrive for users	Live_at_edu.exe

Teams sync permissions
Permission name	Permission type	API	Used for	Used by
EduRoster.ReadWrite.All	Application	Microsoft Graph	Allows the UMS to handle users on roster	Live_at_edu.exe
Member.Read.Hidden	Application	Microsoft Graph	Allows the UMS to handle users on roster	Live_at_edu.exe
TeamMember.ReadWrite.All	Application	Microsoft Graph	Used to add or remove users from Team	Live_at_edu.exe
TeamsTab.ReadWrite.All	Application	Microsoft Graph	Used to create tabs in teams	Live_at_edu.exe
TeamsAppInstallation.ReadForTeam.All	Application	Microsoft Graph	Used to install app in teams	Live_at_edu.exe
Team.Create	Application	Microsoft Graph	Used to create Teams	Live_at_edu.exe
Team.ReadBasic.All	Application	Microsoft Graph	Used to read teams	Live_at_edu.exe