Question:
When configuring App Registration for use with DocuWare, there are API permissions required that need to be set.
Where can we get more information on these Permissions and what they do?
Answer:
For more on what the required API permissions do, please refer to the guide below:
Delegated permissions: These permissions allow the application to act on behalf of a signed-in user. The application can only access resources that the signed-in user has permission to access.
Application permissions: These permissions are used in scenarios where the application accesses data without a signed-in user present. The application can access any data associated with the granted permission. For example, an application granted the Files.Read.All permission can read any file in the organization.
When making App Registrations for use with SSO.
Permissions:
Directory.Read.All
| Category | Application | Delegated |
| DisplayText | Read directory data | Read directory data |
| Description | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user | Allows the app to read data in your organization's directory, such as users, groups and apps |
| AdminConsentRequired | Yes | Yes |
Group.Read.All
| Category | Application | Delegated |
| DisplayText | Read all groups |
Read all groups
|
| Description | Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user. | Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. |
| AdminConsentRequired | Yes | Yes |
GroupMember.Read.All
| Category | Application | Delegated |
| DisplayText | Read all group memberships | Read group memberships |
| Description | Allows the app to read memberships and basic group properties for all groups without a signed-in user. | Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. |
| AdminConsentRequired | Yes | Yes |
openid
| Category | Application | Delegated |
| DisplayText | - | Sign users in |
| Description | - | Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. |
| AdminConsentRequired | - | No |
profile
| Category | Application | Delegated |
| DisplayText | - | View users' basic profile |
| Description | - | Allows the app to see your users' basic profile (e.g., name, picture, user name, email address) |
| AdminConsentRequired | - | No |
User.Read
| Category | Application | Delegated |
| DisplayText | - | Sign in and read user profile |
| Description | - | Allows users to sign-in to the app, and allows the app to read basic company information of signed-in users. |
| AdminConsentRequired | - | No |
User.Read.All
| Category | Application | Delegated |
| DisplayText | Read all users' full profiles | Read all users' full profiles |
| Description | Allows the app to read user profiles without a signed in user. | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
| AdminConsentRequired | Yes | Yes |
When making App Registrations to use with Connect to Mail
Permissions:
EWS.AccessAsUser.All
| Category | Application | Delegated |
| DisplayText | - | Access mailboxes as the signed-in user via Exchange Web Services |
| Description | - | Allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services |
| AdminConsentRequired | - | No |
offline_access
| Category | Application | Delegated |
| DisplayText | - | Maintain access to data you have given it access to |
| Description | - | Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
| AdminConsentRequired | - | No |
openid
| Category | Application | Delegated |
| DisplayText | - | Sign users in |
| Description | - | Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. |
| AdminConsentRequired | - | No |
User.Read
| Category | Application | Delegated |
| DisplayText | - | Sign in and read user profile |
| Description | - | Allows users to sign-in to the app, and allows the app to read basic company information of signed-in users. |
| AdminConsentRequired | - | No |
KBA applicable for both Cloud and On-premise Organizations