Hopp til innholdet

Portal Permissions

These are the access permissions needed by the Ironstone Portal application inside the customers tenant and why we need them.

  • We enrich and present your own data for you in the portal. Without access to your data we won't be able to present anything.
  • It is not possible to partially accept the permissions.

API / Permissions name

Type

Permission description

Admin consent required

Why do we need this permission?

ChannelMember.ReadWrite.All

Application

Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner.

Yes

Collaboration functionality:

  • Needed in PnP module when we modify Teams channels that has been created when a new project (team) has been approved.

Non-interactive accessibility through Application type is needed as the functionality is used on the backend.

  • A regular user is able to request a new team from within the Teams application, and then have the manager accept the request thorugh an approval email.

Group.ReadWrite.All

Application

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user.

Yes

Collaboration functionality:

  • Needed in PnP module when we create groups in Azure AD that is connected to the new SharePoint sites.

Non-interactive accessibility through Application type is needed as the functionality is used on the backend.

  • A regular user is able to request a new project from within the Teams application, and then have the manager accept the request thorugh an approval email.

Notes.ReadWrite.All

Application

Allows the app to read, share, and modify all the OneNote notebooks in your organization, without a signed-in user.

Yes

Collaboration functionality:

  • Needed when customers requests new projects using the collaboration functionality. Needed in PnP module when we create OneNotes connected to the new projects (teams)

Non-interactive accessibility through Application type is needed as the functionality is used on the backend.

  • A regular user is able to request a new project from within the Teams application, and then have the manager accept the request thorugh an approval email.

User.ReadWrite.All

Application

Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords.

Yes

Portal functionality:

  • Used when we buy licenses and add them to their users. To do this we need to reprocess licenses assignments. Without reprocessing you will have to wait a long while before being able to use the license.

  • Used when we create new users in the onboarding functionality of the portal

  • Used when we update users with new information, like phone numbers, from the portal

DeviceManagementManagedDevices.Read.All

Application

Allows the app to read the properties of devices managed by Microsoft Intune.

Yes

Portal functionality:

  • Used to get information about devices when we generate the device report.

  • Get information about a device enrollment when we are triggering auto pilot during onboarding

SecurityEvents.Read.All

Application

Allows the app to read your organization’s security events.

Yes

Portal functionality:

  • Used to get information about security events that create data for the security report.

DeviceManagementServiceConfig.Read.All

Application

Allows the app to read Intune service properties including device enrollment and third party service connection configuration.

Yes

Portal functionality:

  • Used to get information about devices when we generate the device report.

Directory.Read.All

Application

Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.

Yes

Portal functionality:

  • Used to get information needed to create data for the security report.

DeviceManagementConfiguration.Read.All

Application

Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.

Yes

Portal functionality:

  • Used to get information about devices when we generate the device report.

IdentityRiskyUser.Read.All

Application

Allows the app to read identity user risk information for all users in your organization without a signed-in user.

Yes

Portal functionality:

  • Used to get information needed to create data for the security report.

IdentityRiskEvent.Read.All

Application

Allows the app to read identity risk event information for all users in your organization without a signed-in user.

Yes

Portal functionality:

  • Used to get information needed to create data for the security report.

AuditLog.Read.All

Application

Allows the app to read and query your audit log activities, without a signed-in user.

Yes

Portal functionality:

  • Used to get information needed to create data for the security report.

DeviceManagementApps.Read.All

Application

Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.

Yes

Portal functionality:

  • Used to get information about devices when we generate the device report.

Reports.Read.All

Application

Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory.

Yes

Portal functionality:

  • Used to get information needed to create data for the security report.

Directory.ReadWrite.All

Application

Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.

Yes

Collaboration functionality:

We have filed a request to Microsoft on moving these actions to a lower set of permissions since taking Directory.ReadWrite.All is a higher permission than this should require.

Application.ReadWrite.All

Application

Allows the calling app to create, and manage (read, update, update application secrets and delete) applications and service principals without a signed-in user. Does not allow management of consent grants or application assignments to users or groups.

Yes

Used in order to modify the Enterprise Application for the backend application used by our Managed Services.

  • Used when we add or change security settings of our own Enterprise Application. This is only here since it i not possible for you to modify the Enterprise Application from the manifest. If we get this possibility in the future we might be able to remove this.

DeviceManagementManagedDevices.ReadWrite.All

Application

Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner.

Yes

Used for changing devices that are managed by Intune from our backend. Using this we are able to modify which baselines are used by what devices.

Exchange.ManageAsApp

Application

Allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app.

Yes

This is used to be able to reach Exchange remotely from the backend to our customers to:

  • Set baseline when enabling the service

  • Update baseline when we have new security settings or other configuration that needs to be set

To actually get these rights the application needs to be assigned to the Exchange Administrator Azure AD role which is only something that is done temporary when using the functionality.

Sites.FullControl.All

Application

Allows the app to have full control to SharePoint sites in all site collections without a signed-in user.

Yes

Request/Approve Project:

  • Needed in PnP module when we create SharePoint sites after new project (team) request have been approved

User.ReadWrite.All

Application

Allows the app to read and update user profiles and to read basic site info without a signed in user.

Yes

Request/Approve Project:

  • Needed in PnP module when we create SharePoint sites after new project (team) request have been approved

Policy.Read.All

Application

Allows the app to read all your organization's policies without a signed in user.

Yes

Identity Security Report:

  • Needed to get information about conditional access policies and authorization policies that are reported on in the Identity Security Report that is available in the portal.

RoleManagement.ReadWrite.Directory

Application

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Yes

Identity Security Report:

  • Needed to get information about PIM roles and assignments that are reported on in the Identity Security Report that is available in the portal.

 

Requests used by the Portal application

More in-depth about requests and their documentation. This is not the full list, only what is interesting in regards to the above table.

Request type

Request

Graph API documentation

Lowest application permission needed

GET

/v1.0/users/${userID}/ownedDevices

List ownedDevices

User.Read.All

GET

/v1.0/groups

List groups

GroupMember.Read.All

GET

/v1.0/groups/${groupId}/members

List group members

GroupMember.Read.All

PATCH

/v1.0/groups/${groupID}

Update group

Group.ReadWrite.All

DELETE

/v1.0/groups/${groupID}/members/${memberID}/$ref

Remove member

GroupMember.ReadWrite.All

GET

/v1.0/groupLifecyclePolicies

List groupLifecyclePolicies

Directory.Read.All

PATCH

/v1.0/groupLifecyclePolicies/${id}

Update groupLifecyclePolicy

Directory.ReadWrite.All

POST

/v1.0/groupLifecyclePolicies

Create groupLifecyclePolicy

Directory.ReadWrite.All

POST

/v1.0/users/${userID}/reprocessLicenseAssignment

user: reprocessLicenseAssignment

User.ReadWrite.All

GET

/v1.0/organization

Get organization

Organization.Read.All

GET

/v1.0/subscribedskus

List subscribedSkus

Organization.Read.All

GET

/v1.0/users?$top=999&${USERS_SELECT}

List users

User.Read.All

POST

/v1.0/users

Create User

User.ReadWrite.All

PATCH

/v1.0/users/${userID}

Update user

User.ReadWrite.All

GET

/v1.0/applications

Get Application

Application.Read.All

GET

/v1.0/servicePrincipals

Get servicePrincipal

Application.Read.All

GET

/v1.0/identity/conditionalAccess/policies

Get conditionalAccessPolicy

Policy.Read.All

GET

/v1.0/policies/authorizationPolicy

Get authorizationPolicy

Policy.Read.All

GET

/v1.0/roleManagement/directory/roleAssignmentScheduleRequests

Get roleAssignmentScheduleRequests

RoleManagement.ReadWrite.Directory

Azure platform access

Some functionality needs access to your Azure environment to for example help you with monitoring your cost.

Access level

Scope

Justification

Reader

Management root

We need this access to be able to see costs connected to all subscriptions, resource groups, and resources. Using this data we create reports on cost which is presented in the Ironstone Portal.