MSGraphPermissions: Difference between revisions

From UmsWiki
Jump to navigation Jump to search
Kia (talk | contribs)
Kia (talk | contribs)
Line 194: Line 194:


===Change Password when using Azure AD as login===
===Change Password when using Azure AD as login===
{| class="wikitable sortable"
{| class="wikitable sortable"
|+
|+

Revision as of 16:34, 13 June 2022

MS graph permissions is a UMS backend requirement from version 8.5.203 which was released in June 2021"

MS graph permissions are required by these UMS modules (LiveAtEdu,OneNote, Sharepoint, Office 365 Timeblok and MS Teams)


Creating App Registration

Go to Azure Portal and login with you admin account( the same UMS uses).

!!! ATTENTION !!! use service account that UMS uses

When logged in go to Azure Active Directory:


Go to App registrations


Click on New application registration


Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"


You will return to previous screen, here click "your new app"


Click "Certificates & secrets"

Click "New Client Secret"

Enter a "Description" and set "Expires" to the interval that suits your needs.

Click "Add"


Copy "Value ID" We will use this later

!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.


Copy the "VALUE Key into "UMS Configurator" field Client Secret


Copy the "Directory Tenant ID " into "UMS Configurator" Field Tenant ID

Copy the "Appplication Client ID " into "UMS Configurator" Field Client ID


Click "Api permissions"

Click "Add a permission"

Setup UMS (This part is only when using SharePoint or OneNote Class Notebook)

In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"

Choose your SharePoint organization setting and click "Edit..."

Input your "Tenant Name" ex. "cortenso.onmicrosoft.com", insert Application ID into "Client ID" field, insert "Client secret" and "Tenant ID" and click "Ok"

Setup SharePoint permissions

  • Go to https://<tenant>.sharepoint.com/_layouts/15/appinv.aspx
  • Enter app Id (AKA Client Id) and press lookup.
  • Copy paste the below text in Permission Request XML and save
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
Enter anything you like into Title


Open Powershell 5 on the server running the program

Install-Module -Name Microsoft.Online.SharePoint.PowerShell
Import-Module Microsoft.Online.SharePoint.PowerShell
Connect-SPOService -Url https://<tenantname>-admin.sharepoint.com -Credential administrator@<tenantname>.onmicrosoft.com
Set-SPOTenant -DisableCustomAppAuthentication $false

Permissions overview

Microsoft Graph

Default permissions
Permission name Permission type API Used for Used by
User.ReadWrite.All Application Microsoft Graph Setting attributes on the user in Office 365 Live_at_edu.exe
Group.ReadWrite.All Application Microsoft Graph Setting group attributes on Office 365 groups Live_at_edu.exe
GroupMember.ReadWrite.All Application Microsoft Graph Manage GroupMembers in Office 365 Live_at_edu.exe
Directory.ReadWrite.All Application Microsoft Graph Setting attributes on the user in Azure Active Directory Live_at_edu.exe
MailboxSettings.ReadWrite Application Microsoft Graph Used to set mailbox settings in Office 365.

Used to get/create categories

Live_at_edu.exe

Skemabrikker.exe

Calendars.ReadWrite Application Microsoft Graph Used to allow UMS to sync calendar events to Office 365 Skemabrikker.exe
Files.ReadWrite.All Application Microsoft Graph Used to provision OneDrive for users Live_at_edu.exe
Teams sync permissions
Permission name Permission type API Used for Used by
EduRoster.ReadWrite.All Application Microsoft Graph Allows the UMS to handle users on roster Live_at_edu.exe
Member.Read.Hidden Application Microsoft Graph Allows the UMS to handle users on roster Live_at_edu.exe
TeamMember.ReadWrite.All Application Microsoft Graph Used to add or remove users from Team Live_at_edu.exe
TeamsTab.ReadWrite.All Application Microsoft Graph Used to create tabs in teams Live_at_edu.exe
TeamsAppInstallation.ReadForTeam.All Application Microsoft Graph Used to install app in teams Live_at_edu.exe
Team.Create Application Microsoft Graph Used to create Teams Live_at_edu.exe
Team.ReadBasic.All Application Microsoft Graph Used to read teams Live_at_edu.exe

Change Password when using Azure AD as login

Permission name Permission type API Used for Used by
Notes.ReadWrite.All Application Microsoft Graph Office365_SP_OneNote.exe


Password Sync
Permission name Permission type API Used for Used by
Roles and Administrators Application Microsoft Graph Reset password for Users Password_Sync

SharePoint

SharePoint sync permissions
Permission name Permission type API Used for Used by
Sites.FullControl.All Application Microsoft Graph Have full control of all site collections Office365_SP_OneNote.exe
Sites.Manage.All Application Microsoft Graph Read and write items and lists in all site collections Office365_SP_OneNote.exe
Sites.ReadWrite.All Application Microsoft Graph Read and write items in all site collections Office365_SP_OneNote.exe
User.ReadWrite.All Application Microsoft Graph Read and write user profiles Office365_SP_OneNote.exe

OneNote

OneNote sync permissions
Permission name Permission type API Used for Used by
Notes.ReadWrite.All Application Microsoft Graph Office365_SP_OneNote.exe


Password Sync
Permission name Permission type API Used for Used by
Roles and Administrators Application Microsoft Graph Reset password for Users Password_Sync


Password Administrator

To Add Password administrator roles. Click Roles and administrator

  • Click Add Assignments and Search for App Registrations name and Click Add.


FAQ :

If you get this message when trying to reset password in Office365 using MS Graph Api. This is because user is global Admin and therefore MS graph can not Reset password