Guide concerning usage of data from clients’ Azure AD


API / Permissions name   Type   Description
email   Delegated   View users' email address
profile   Delegated   View users' basic profile
offline_access   Delegated   Maintain access to data you have given it access to
openid   Delegated   Sign users in
User.Read   Delegated   Sign in and read user profile
Group.Read.All   Application   Read all groups
GroupMember.Read.All   Application   Read all group memberships
User.Read.All   Application   Read all users' full profiles


Delegated permissions are required during sign-in.

Application permissions are required during configuration of access to Azure Active Directory in the Workspace administration.

  1. Groups are retrieved and listed so they can be mapped to an access level in Workspace.
  2. Group members are read from groups that have been mapped to an access level, when a synchronization is run. A group member’s ID, principal name, display name and given name are saved to a user in Workspace. The ID is used upon re-synchronization and to retrieve a Workspace user’s profile photo. The principal name is assumed to be the member’s email and is used after their ID token has been validated to verify that a user exists in Workspace. The display name is shown throughout Workspace. The given name is used to greet the user in Workspace.
  3. All users are read in order for a given Workspace user to view other users' information (such as their profile photo).