MSGraphPermissions: Difference between revisions
Line 194: | Line 194: | ||
===Change Password when using Azure AD as login=== | ===Change Password when using Azure AD as login=== | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|+ | |+ |
Revision as of 16:34, 13 June 2022
MS graph permissions is a UMS backend requirement from version 8.5.203 which was released in June 2021"
MS graph permissions are required by these UMS modules (LiveAtEdu,OneNote, Sharepoint, Office 365 Timeblok and MS Teams)
Creating App Registration
Go to Azure Portal and login with you admin account( the same UMS uses).
!!! ATTENTION !!! use service account that UMS uses
When logged in go to Azure Active Directory:
Go to App registrations
Click on New application registration
Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"
You will return to previous screen, here click "your new app"
Click "Certificates & secrets"
Click "New Client Secret"
Enter a "Description" and set "Expires" to the interval that suits your needs.
Click "Add"
Copy "Value ID" We will use this later
!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.
Copy the "VALUE Key into "UMS Configurator" field Client Secret
Copy the "Directory Tenant ID " into "UMS Configurator" Field Tenant ID
Copy the "Appplication Client ID " into "UMS Configurator" Field Client ID
Click "Api permissions"
Click "Add a permission"
In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"
Choose your SharePoint organization setting and click "Edit..."
your "Tenant Name" ex. "cortenso.onmicrosoft.com", insert Application ID into "Client ID" field, insert "Client secret" and "Tenant ID" and click "Ok"
- Go to https://<tenant>.sharepoint.com/_layouts/15/appinv.aspx
- Enter app Id (AKA Client Id) and press lookup.
- Copy paste the below text in Permission Request XML and save
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>
Open Powershell 5 on the server running the program
Install-Module -Name Microsoft.Online.SharePoint.PowerShell Import-Module Microsoft.Online.SharePoint.PowerShell Connect-SPOService -Url https://<tenantname>-admin.sharepoint.com -Credential administrator@<tenantname>.onmicrosoft.com Set-SPOTenant -DisableCustomAppAuthentication $false
Permissions overview
Microsoft Graph
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
User.ReadWrite.All | Application | Microsoft Graph | Setting attributes on the user in Office 365 | Live_at_edu.exe |
Group.ReadWrite.All | Application | Microsoft Graph | Setting group attributes on Office 365 groups | Live_at_edu.exe |
GroupMember.ReadWrite.All | Application | Microsoft Graph | Manage GroupMembers in Office 365 | Live_at_edu.exe |
Directory.ReadWrite.All | Application | Microsoft Graph | Setting attributes on the user in Azure Active Directory | Live_at_edu.exe |
MailboxSettings.ReadWrite | Application | Microsoft Graph | Used to set mailbox settings in Office 365.
Used to get/create categories |
Live_at_edu.exe
Skemabrikker.exe |
Calendars.ReadWrite | Application | Microsoft Graph | Used to allow UMS to sync calendar events to Office 365 | Skemabrikker.exe |
Files.ReadWrite.All | Application | Microsoft Graph | Used to provision OneDrive for users | Live_at_edu.exe |
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
EduRoster.ReadWrite.All | Application | Microsoft Graph | Allows the UMS to handle users on roster | Live_at_edu.exe |
Member.Read.Hidden | Application | Microsoft Graph | Allows the UMS to handle users on roster | Live_at_edu.exe |
TeamMember.ReadWrite.All | Application | Microsoft Graph | Used to add or remove users from Team | Live_at_edu.exe |
TeamsTab.ReadWrite.All | Application | Microsoft Graph | Used to create tabs in teams | Live_at_edu.exe |
TeamsAppInstallation.ReadForTeam.All | Application | Microsoft Graph | Used to install app in teams | Live_at_edu.exe |
Team.Create | Application | Microsoft Graph | Used to create Teams | Live_at_edu.exe |
Team.ReadBasic.All | Application | Microsoft Graph | Used to read teams | Live_at_edu.exe |
Change Password when using Azure AD as login
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
Notes.ReadWrite.All | Application | Microsoft Graph | Office365_SP_OneNote.exe |
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
Roles and Administrators | Application | Microsoft Graph | Reset password for Users | Password_Sync |
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
Sites.FullControl.All | Application | Microsoft Graph | Have full control of all site collections | Office365_SP_OneNote.exe |
Sites.Manage.All | Application | Microsoft Graph | Read and write items and lists in all site collections | Office365_SP_OneNote.exe |
Sites.ReadWrite.All | Application | Microsoft Graph | Read and write items in all site collections | Office365_SP_OneNote.exe |
User.ReadWrite.All | Application | Microsoft Graph | Read and write user profiles | Office365_SP_OneNote.exe |
OneNote
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
Notes.ReadWrite.All | Application | Microsoft Graph | Office365_SP_OneNote.exe |
Permission name | Permission type | API | Used for | Used by |
---|---|---|---|---|
Roles and Administrators | Application | Microsoft Graph | Reset password for Users | Password_Sync |
Password Administrator
To Add Password administrator roles. Click Roles and administrator
- Click Add Assignments and Search for App Registrations name and Click Add.
FAQ :
If you get this message when trying to reset password in Office365 using MS Graph Api. This is because user is global Admin and therefore MS graph can not Reset password