MSGraphPermissions: Difference between revisions

Revision as of 16:34, 13 June 2022

MS graph permissions is a UMS backend requirement from version 8.5.203 which was released in June 2021"

MS graph permissions are required by these UMS modules (LiveAtEdu,OneNote, Sharepoint, Office 365 Timeblok and MS Teams)

Creating App Registration

Go to Azure Portal and login with you admin account( the same UMS uses).

!!! ATTENTION !!! use service account that UMS uses

When logged in go to Azure Active Directory:

Go to App registrations

Click on New application registration

Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"

You will return to previous screen, here click "your new app"

Click "Certificates & secrets"

Click "New Client Secret"

Enter a "Description" and set "Expires" to the interval that suits your needs.

Click "Add"

Copy "Value ID" We will use this later

!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.

Copy the "VALUE Key into "UMS Configurator" field Client Secret

Copy the "Directory Tenant ID " into "UMS Configurator" Field Tenant ID

Copy the "Appplication Client ID " into "UMS Configurator" Field Client ID

Click "Api permissions"

Click "Add a permission"

Setup UMS (This part is only when using SharePoint or OneNote Class Notebook)

In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"

Choose your SharePoint organization setting and click "Edit..."

Input your "Tenant Name" ex. "cortenso.onmicrosoft.com", insert Application ID into "Client ID" field, insert "Client secret" and "Tenant ID" and click "Ok"

Setup SharePoint permissions

Go to https://<tenant>.sharepoint.com/_layouts/15/appinv.aspx
Enter app Id (AKA Client Id) and press lookup.
Copy paste the below text in Permission Request XML and save

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

Open Powershell 5 on the server running the program

Install-Module -Name Microsoft.Online.SharePoint.PowerShell
Import-Module Microsoft.Online.SharePoint.PowerShell
Connect-SPOService -Url https://<tenantname>-admin.sharepoint.com -Credential administrator@<tenantname>.onmicrosoft.com
Set-SPOTenant -DisableCustomAppAuthentication $false

Permissions overview

Microsoft Graph

Default permissions
Permission name	Permission type	API	Used for	Used by
User.ReadWrite.All	Application	Microsoft Graph	Setting attributes on the user in Office 365	Live_at_edu.exe
Group.ReadWrite.All	Application	Microsoft Graph	Setting group attributes on Office 365 groups	Live_at_edu.exe
GroupMember.ReadWrite.All	Application	Microsoft Graph	Manage GroupMembers in Office 365	Live_at_edu.exe
Directory.ReadWrite.All	Application	Microsoft Graph	Setting attributes on the user in Azure Active Directory	Live_at_edu.exe
MailboxSettings.ReadWrite	Application	Microsoft Graph	Used to set mailbox settings in Office 365. Used to get/create categories	Live_at_edu.exe Skemabrikker.exe
Calendars.ReadWrite	Application	Microsoft Graph	Used to allow UMS to sync calendar events to Office 365	Skemabrikker.exe
Files.ReadWrite.All	Application	Microsoft Graph	Used to provision OneDrive for users	Live_at_edu.exe

Teams sync permissions
Permission name	Permission type	API	Used for	Used by
EduRoster.ReadWrite.All	Application	Microsoft Graph	Allows the UMS to handle users on roster	Live_at_edu.exe
Member.Read.Hidden	Application	Microsoft Graph	Allows the UMS to handle users on roster	Live_at_edu.exe
TeamMember.ReadWrite.All	Application	Microsoft Graph	Used to add or remove users from Team	Live_at_edu.exe
TeamsTab.ReadWrite.All	Application	Microsoft Graph	Used to create tabs in teams	Live_at_edu.exe
TeamsAppInstallation.ReadForTeam.All	Application	Microsoft Graph	Used to install app in teams	Live_at_edu.exe
Team.Create	Application	Microsoft Graph	Used to create Teams	Live_at_edu.exe
Team.ReadBasic.All	Application	Microsoft Graph	Used to read teams	Live_at_edu.exe

Change Password when using Azure AD as login


Permission name	Permission type	API	Used for	Used by
Notes.ReadWrite.All	Application	Microsoft Graph		Office365_SP_OneNote.exe

Password Sync
Permission name	Permission type	API	Used for	Used by
Roles and Administrators	Application	Microsoft Graph	Reset password for Users	Password_Sync

SharePoint

SharePoint sync permissions
Permission name	Permission type	API	Used for	Used by
Sites.FullControl.All	Application	Microsoft Graph	Have full control of all site collections	Office365_SP_OneNote.exe
Sites.Manage.All	Application	Microsoft Graph	Read and write items and lists in all site collections	Office365_SP_OneNote.exe
Sites.ReadWrite.All	Application	Microsoft Graph	Read and write items in all site collections	Office365_SP_OneNote.exe
User.ReadWrite.All	Application	Microsoft Graph	Read and write user profiles	Office365_SP_OneNote.exe

OneNote

OneNote sync permissions
Permission name	Permission type	API	Used for	Used by
Notes.ReadWrite.All	Application	Microsoft Graph		Office365_SP_OneNote.exe

Password Sync
Permission name	Permission type	API	Used for	Used by
Roles and Administrators	Application	Microsoft Graph	Reset password for Users	Password_Sync

Password Administrator

To Add Password administrator roles. Click Roles and administrator

Click Add Assignments and Search for App Registrations name and Click Add.

FAQ :

If you get this message when trying to reset password in Office365 using MS Graph Api. This is because user is global Admin and therefore MS graph can not Reset password

@@ Line 194: / Line 194: @@
 ===Change Password when using Azure AD as login===
 {| class="wikitable sortable"
 |+

MSGraphPermissions: Difference between revisions

Revision as of 16:34, 13 June 2022

Contents

Creating App Registration