MSGraphPermissions: Difference between revisions

From UmsWiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Tod (talk | contribs)
240 edits
Kia (talk | contribs)
engineering, inHouse, Administrators
2,475 edits
Line 84: Line 84:


======API og tilladelser======
======API og tilladelser======
<br />
'''SharePoint'''
======Microsoft Graph (155) Delegated permissions======
[[File:Sdfdhfh.png|none|thumb|1064x1064px]]
 
*Microsoft Graph (Applications Permissions)
 
[[File:Sddsfhn.png|none|thumb|1055x1055px]]
 
 
'''Microsoft Graph (155)'''
{| class="wikitable"
{| class="wikitable"
|Agreement.Read.All
|Delegated
|Read all terms of use agreements
|-
|Agreement.ReadWrite.All
|Delegated
|Read and write all terms of use agreements
|-
|AgreementAcceptance.Read
|Delegated
|Read user terms of use acceptance statuses
|-
|AgreementAcceptance.Read.All
|Delegated
|Read terms of use acceptance statuses that user can access
|-
|Application.ReadWrite.OwnedBy
|Application
|Manage apps that this app creates or owns
|-
|AuditLog.Read.All
|Delegated
|Read audit log data
|-
|AuditLog.Read.All
|Application
|Read all audit log data
|-
|Bookings.Manage.All
|Delegated
|Manage bookings information
|-
|Bookings.Read.All
|Delegated
|Read bookings information
|-
|Bookings.ReadWrite.All
|Delegated
|Read and write bookings information
|-
|BookingsAppointment.ReadWrite.All
|Delegated
|Read and write booking appointments
|-
|Calendars.Read
|Delegated
|Read user calendars
|-
|Calendars.Read
|Application
|Read calendars in all mailboxes
|-
|Calendars.Read.Shared
|Delegated
|Read user and shared calendars
|-
|Calendars.ReadWrite
|Delegated
|Have full access to user calendars
|-
|Calendars.ReadWrite
|Application
|Read and write calendars in all mailboxes
|-
|Calendars.ReadWrite.Shared
|Delegated
|Read and write user and shared calendars
|-
|Calls.AccessMedia.All
|Application
|Access media streams in a call as an app
|-
|Calls.Initiate.All
|Application
|Initiate outgoing 1 to 1 calls from the app
|-
|Calls.InitiateGroupCall.All
|Application
|Initiate outgoing group calls from the app
|-
|Calls.JoinGroupCall.All
|Application
|Join group calls and meetings as an app
|-
|Calls.JoinGroupCallAsGuest.All
|Application
|Join group calls and meetings as a guest
|-
|Contacts.Read
|Delegated
|Read user contacts
|-
|Contacts.Read
|Application
|Read contacts in all mailboxes
|-
|Contacts.Read.Shared
|Delegated
|Read user and shared contacts
|-
|Contacts.ReadWrite
|Delegated
|Have full access to user contacts
|-
|Contacts.ReadWrite
|Application
|Read and write contacts in all mailboxes
|-
|Contacts.ReadWrite.Shared
|Delegated
|Read and write user and shared contacts
|-
|Device.Command
|Delegated
|Communicate with user devices
|-
|Device.Read
|Delegated
|Read user devices
|-
|Device.ReadWrite.All
|Application
|Read and write devices
|-
|DeviceManagementApps.Read.All
|Delegated
|Read Microsoft Intune apps
|-
|DeviceManagementApps.ReadWrite.All
|Delegated
|Read and write Microsoft Intune apps
|-
|DeviceManagementConfiguration.Read.All
|Delegated
|Read Microsoft Intune Device Configuration and Policies
|-
|DeviceManagementConfiguration.ReadWrite.All
|Delegated
|Read and write Microsoft Intune Device Configuration and Policies
|-
|DeviceManagementManagedDevices.PrivilegedOperations.All
|Delegated
|Perform user-impacting remote actions on Microsoft Intune devices
|-
|DeviceManagementManagedDevices.Read.All
|Delegated
|Read Microsoft Intune devices
|-
|DeviceManagementManagedDevices.ReadWrite.All
|Delegated
|Read and write Microsoft Intune devices
|-
|DeviceManagementRBAC.Read.All
|Delegated
|Read Microsoft Intune RBAC settings
|-
|DeviceManagementRBAC.ReadWrite.All
|Delegated
|Read and write Microsoft Intune RBAC settings
|-
|DeviceManagementServiceConfig.Read.All
|Delegated
|Read Microsoft Intune configuration
|-
|DeviceManagementServiceConfig.ReadWrite.All
|Delegated
|Read and write Microsoft Intune configuration
|-
|Directory.AccessAsUser.All
|Delegated
|Access directory as the signed in user
|-
|Directory.Read.All
|Delegated
|Read directory data
|-
|Directory.Read.All
|Application
|Read directory data
|-
|Directory.ReadWrite.All
|Delegated
|Read and write directory data
|-
|Directory.ReadWrite.All
|Application
|Read and write directory data
|-
|Domain.ReadWrite.All
|Application
|Read and write domains
|-
|EAS.AccessAsUser.All
|Delegated
|Access mailboxes via Exchange ActiveSync
|-
|EduAdministration.Read
|Delegated
|Read education app settings
|-
|EduAdministration.Read.All
|Application
|Read Education app settings
|-
|EduAdministration.ReadWrite
|Delegated
|Manage education app settings
|-
|EduAdministration.ReadWrite.All
|Application
|Manage education app settings
|-
|EduAssignments.Read
|Delegated
|Read users' class assignments and their grades
|-
|EduAssignments.Read.All
|Application
|Read class assignments with grades
|-
|EduAssignments.ReadBasic
|Delegated
|Read users' class assignments without grades
|-
|EduAssignments.ReadBasic.All
|Application
|Read class assignments without grades
|-
|EduAssignments.ReadWrite
|Delegated
|Read and write users' class assignments and their grades
|-
|EduAssignments.ReadWrite.All
|Application
|Read and write class assignments with grades
|-
|EduAssignments.ReadWriteBasic
|Delegated
|Read and write users' class assignments without grades
|-
|EduAssignments.ReadWriteBasic.All
|Application
|Read and write class assignments without grades
|-
|EduRoster.Read
|Delegated
|Read users' view of the roster
|-
|EduRoster.Read.All
|Application
|Read the organization's roster
|-
|EduRoster.ReadBasic
|Delegated
|Read a limited subset of users' view of the roster
|-
|EduRoster.ReadBasic.All
|Application
|Read a limited subset of the organization's roster
|-
|EduRoster.ReadWrite
|Delegated
|Read and write users' view of the roster
|-
|EduRoster.ReadWrite.All
|Application
|Read and write the organization's roster
|-
|email
|Delegated
|View users' email address
|-
|Files.Read
|Delegated
|Read user files
|-
|Files.Read.All
|Delegated
|Read all files that user can access
|-
|Files.Read.All
|Application
|Read files in all site collections
|-
|Files.Read.Selected
|Delegated
|Read files that the user selects (preview)
|-
|Files.ReadWrite
|Delegated
|Have full access to user files
|-
|Files.ReadWrite.All
|Delegated
|Have full access to all files user can access
|-
|Files.ReadWrite.All
|Application
|Read and write files in all site collections
|-
|Files.ReadWrite.AppFolder
|Delegated
|Have full access to the application's folder (preview)
|-
|Files.ReadWrite.Selected
|Delegated
|Read and write files that the user selects (preview)
|-
|Financials.ReadWrite.All
|Delegated
|Read and write financials data
|-
|Group.Read.All
|Delegated
|Read all groups
|-
|Group.Read.All
|Application
|Read all groups
|-
|Group.ReadWrite.All
|Delegated
|Read and write all groups
|-
|Group.ReadWrite.All
|Application
|Read and write all groups
|-
|IdentityProvider.Read.All
|Delegated
|Read identity providers
|-
|IdentityProvider.ReadWrite.All
|Delegated
|Read and write identity providers
|-
|IdentityRiskEvent.Read.All
|Delegated
|Read identity risk event information
|-
|IdentityRiskEvent.Read.All
|Application
|Read all identity risk event information
|-
|Mail.Read
|Delegated
|Read user mail
|-
|Mail.Read
|Application
|Read mail in all mailboxes
|-
|Mail.Read.Shared
|Delegated
|Read user and shared mail
|-
|Mail.ReadWrite
|Delegated
|Read and write access to user mail
|-
|Mail.ReadWrite
|Application
|Read and write mail in all mailboxes
|-
|Mail.ReadWrite.Shared
|Delegated
|Read and write user and shared mail
|-
|Mail.Send
|Delegated
|Send mail as a user
|-
|Mail.Send
|Application
|Send mail as any user
|-
|Mail.Send.Shared
|Delegated
|Send mail on behalf of others
|-
|MailboxSettings.Read
|Delegated
|Read user mailbox settings
|-
|MailboxSettings.Read
|Application
|Read all user mailbox settings
|-
|MailboxSettings.ReadWrite
|Delegated
|Read and write user mailbox settings
|-
|MailboxSettings.ReadWrite
|Application
|Read and write all user mailbox settings
|-
|Member.Read.Hidden
|Delegated
|Read hidden memberships
|-
|Member.Read.Hidden
|Application
|Read all hidden memberships
|-
|Notes.Create
|Delegated
|Create user OneNote notebooks
|-
|Notes.Read
|Delegated
|Read user OneNote notebooks
|-
|Notes.Read.All
|Delegated
|Read all OneNote notebooks that user can access
|-
|Notes.Read.All
|Application
|Read all OneNote notebooks
|-
|Notes.ReadWrite
|Delegated
|Read and write user OneNote notebooks
|-
|Notes.ReadWrite.All
|Delegated
|Read and write all OneNote notebooks that user can access
|-
|Notes.ReadWrite.All
|Application
|Read and write all OneNote notebooks
|-
|Notes.ReadWrite.CreatedByApp
|Delegated
|Limited notebook access (deprecated)
|-
|offline_access
|Delegated
|Maintain access to data you have given it access to
|-
|OnlineMeetings.Read.All
|Application
|Read online meeting details
|-
|OnlineMeetings.ReadWrite.All
|Application
|Read and create online meetings
|-
|openid
|Delegated
|Sign users in
|-
|People.Read
|Delegated
|Read users' relevant people lists
|-
|People.Read.All
|Delegated
|Read all users' relevant people lists
|-
|People.Read.All
|Application
|Read all users' relevant people lists
|-
|PrivilegedAccess.ReadWrite.AzureAD
|Delegated
|Read and write privileged access to Azure AD
|-
|PrivilegedAccess.ReadWrite.AzureResources
|Delegated
|Read and write privileged access to Azure resources
|-
|profile
|Delegated
|View users' basic profile
|-
|Reports.Read.All
|Delegated
|Read all usage reports
|-
|Reports.Read.All
|Application
|Read all usage reports
|-
|SecurityEvents.Read.All
|Delegated
|Read your organization’s security events
|-
|SecurityEvents.Read.All
|Application
|Read your organization’s security events
|-
|SecurityEvents.ReadWrite.All
|Delegated
|Read and update your organization’s security events
|-
|SecurityEvents.ReadWrite.All
|Application
|Read and update your organization’s security events
|-
|Sites.FullControl.All
|Delegated
|Have full control of all site collections
|-
|-
|Sites.FullControl.All
|Sites.FullControl.All
Line 604: Line 92:
|-
|-
|Sites.Manage.All
|Sites.Manage.All
|Delegated
|Create, edit, and delete items and lists in all site collections
|-
|Sites.Manage.All
|Application
|Create, edit, and delete items and lists in all site collections
|-
|Sites.Read.All
|Delegated
|Read items in all site collections
|-
|Sites.Read.All
|Application
|Read items in all site collections
|-
|Sites.ReadWrite.All
|Delegated
|Edit or delete items in all site collections
|-
|Sites.ReadWrite.All
|Application
|Read and write items in all site collections
|-
|Subscription.Read.All
|Delegated
|Read all webhook subscriptions
|-
|Tasks.Read
|Delegated
|Read user's tasks and task lists
|-
|Tasks.Read.Shared
|Delegated
|Read user and shared tasks
|-
|Tasks.ReadWrite
|Delegated
|Create, read, update, and delete user’s tasks and task lists
|-
|Tasks.ReadWrite.Shared
|Delegated
|Read and write user and shared tasks
|-
|TeamsApp.ReadWrite.All
|Application
|Manage all users' Teams apps
|-
|TeamsAppInstallation.ReadWriteForTeam.All
|Application
|Manage Teams apps for all teams
|-
|TeamsAppInstallation.ReadWriteForUser.All
|Application
|Application
|Manage Teams apps for all users
|-
|TeamsAppInstallation.ReadWriteSelfForTeam.All
|Application
|Allow the Teams app to manage itself for all teams
|-
|TeamSettings.ReadWrite.All
|Application
|Read and change all teams' settings
|-
|TeamsTab.ReadWrite.All
|Application
|Read and write tabs in Microsoft Teams.
|-
|User.Invite.All
|Delegated
|Invite guest users to the organization
|-
|User.Invite.All
|Application
|Invite guest users to the organization
|-
|User.Read
|Delegated
|Sign in and read user profile
|-
|User.Read.All
|Delegated
|Read all users' full profiles
|-
|User.Read.All
|Application
|Read all users' full profiles
|-
|User.ReadBasic.All
|Delegated
|Read all users' basic profiles
|-
|User.ReadWrite
|Delegated
|Read and write access to user profile
|-
|User.ReadWrite.All
|Delegated
|Read and write all users' full profiles
|-
|User.ReadWrite.All
|Application
|Read and write all users' full profiles
|-
|UserActivity.ReadWrite.CreatedByApp
|Delegated
|Read and write app activity to users' activity feed
|-
|UserTimelineActivity.Write.CreatedByApp
|Delegated
|Write app activity to users' timeline
|}
'''OneNote 8'''
{| class="wikitable"
|-
|Notes.Create
|Delegated
|Create pages in OneNote notebooks
|-
|Notes.Read
|Delegated
|View OneNote notebooks
|-
|Notes.Read.All
|Application
|View notes for all users
|-
|Notes.Read.All
|Delegated
|View OneNote notebooks in your organization
|-
|Notes.ReadWrite
|Delegated
|View and modify OneNote notebooks
|-
|Notes.ReadWrite.All
|Application
|View and modify notes for all users
|-
|Notes.ReadWrite.All
|Delegated
|View and modify OneNote notebooks in your organization
|-
|Notes.ReadWrite.CreatedByApp
|Delegated
|Application-only OneNote notebook access
|}
'''SharePoint''' 19
{| class="wikitable"
|AllSites.FullControl
|Delegated
|Have full control of all site collections
|-
|AllSites.Manage
|Delegated
|Read and write items and lists in all site collections
|Read and write items and lists in all site collections
|-
|AllSites.Read
|Delegated
|Read items in all site collections
|-
|AllSites.Write
|Delegated
|Read and write items in all site collections
|-
|MyFiles.Read
|Delegated
|Read user files
|-
|MyFiles.Write
|Delegated
|Read and write user files
|-
|Sites.FullControl.All
|Application
|Have full control of all site collections
|-
|Sites.Manage.All
|Application
|Read and write items and lists in all site collections
|-
|Sites.Read.All
|Application
|Read items in all site collections
|-
|-
|Sites.ReadWrite.All
|Sites.ReadWrite.All
|Application
|Application
|Read and write items in all site collections
|Read and write items in all site collections
|-
|Sites.Search.All
|Delegated
|Run search queries as a user
|-
|-
|TermStore.Read.All
|TermStore.Read.All
|Application
|Application
|Read managed metadata
|Read managed metadata
|-
|TermStore.Read.All
|Delegated
|Read managed metadata
|-
|TermStore.ReadWrite.All
|Application
|Read and write managed metadata
|-
|TermStore.ReadWrite.All
|Delegated
|Read and write managed metadata
|-
|User.Read.All
|Application
|Read user profiles
|-
|User.Read.All
|Delegated
|Read user profiles
|-
|-
|User.ReadWrite.All
|User.ReadWrite.All
|Application
|Application
|Read and write user profiles
|-
|User.ReadWrite.All
|Delegated
|Read and write user profiles
|Read and write user profiles
|}
|}

Revision as of 08:12, 24 June 2021

MS graph permissions is a UMS backend requirement from version 8.5.203 which was released in June 2021"

MS graph permissions are required by these UMS modules (LiveAtEdu,OneNote, Sharepoint and MS Teams)


Creating App Registration

Go to Azure Portal and login with you admin account( the same UMS uses).

!!! ATTENTION !!! use service account that UMS uses

When logged in go to Azure Active Directory:













Go to App registrations


Click on New application registration


Give the new App a name ex. "UMSGraph", Choose "Web app / API" in Application type, set "Sign-on URL" to "http://localhost". After setting Application Permission values click "Create"

You will return to previous screen, here click "your new app"


Click "Certificates & secrets"

Click "New Client Secret"

Enter a "Description" and set "Expires" to the interval that suits your needs.

Click "Add"


Copy "Value ID" We will use this later

!!! ATTENTION !!! the key value will never be visible again so ensure to copy it.


Copy the "VALUE Key into "UMS Configurator" field Client Secret


Copy the "Directory Tenant ID " into "UMS Configurator" Field Tenant ID

Copy the "Appplication Client ID " into "UMS Configurator" Field Client ID


Click "Api permissions"

Click "Add a permission"

API og tilladelser

SharePoint

Sites.FullControl.All Application Have full control of all site collections
Sites.Manage.All Application Read and write items and lists in all site collections
Sites.ReadWrite.All Application Read and write items in all site collections
TermStore.Read.All Application Read managed metadata
User.ReadWrite.All Application Read and write user profiles

Setup UMS to use Application just Created

In the UMS Configurator go to Modules->Office 365 and click "SharePoint organization settings"

Choose your SharePoint organization setting and click "Edit..."

Input your "Tenant Name" ex. "cortenso.onmicrosoft.com", paste the previously copied Application ID into "Client ID" field and paste previously copied KEY into "Client secret" and click "Ok"

File:UMSConfiguratorSharepointOrganizationSettingsEditWindow.png

You are now all set to use the new MS Graph integration.

Permissions overview


Default permissions
Permission name Permission type API Used for Used by
User.ReadWrite.All Application Microsoft Graph Setting attributes on the user in Office 365 Live_at_edu.exe
Group.ReadWrite.All Application Microsoft Graph Setting group attributes on Office 365 groups Live_at_edu.exe
GroupMember.ReadWrite.All Application Microsoft Graph Manage GroupMembers in Office 365 Live_at_edu.exe
Directory.ReadWrite.All Application Microsoft Graph Setting attributes on the user in Azure Active Directory Live_at_edu.exe
MailboxSettings.ReadWrite Application Microsoft Graph Used to set mailbox settings in Office 365.

Used to get/create categories

Live_at_edu.exe

Skemabrikker.exe

Calendars.ReadWrite Application Microsoft Graph Used to allow UMS to sync calendar events to Office 365 Skemabrikker.exe
Files.ReadWrite.All Application Microsoft Graph Used to provision OneDrive for users Live_at_edu.exe
Teams sync permissions
Permission name Permission type API Used for Used by
EduRoster.ReadWrite.All Application Microsoft Graph Allows the UMS to handle users on roster Live_at_edu.exe
Member.Read.Hidden Application Microsoft Graph Allows the UMS to handle users on roster Live_at_edu.exe
TeamMember.ReadWrite.All Application Microsoft Graph Used to add or remove users from Team Live_at_edu.exe
TeamsTab.ReadWrite.All Application Microsoft Graph Used to create tabs in teams Live_at_edu.exe
TeamsAppInstallation.ReadForTeam.All Application Microsoft Graph Used to install app in teams Live_at_edu.exe
Team.Create Application Microsoft Graph Used to create Teams Live_at_edu.exe
Team.ReadBasic.All Application Microsoft Graph Used to read teams Live_at_edu.exe
Retrieved from "http://wiki.inlogic.dk/index.php?title=MSGraphPermissions&oldid=3976"