Guide concerning usage of data from clients’ Azure AD
| API / Permissions name |
|
Type |
|
Description |
| email |
|
Delegated |
|
View users' email address |
| profile |
|
Delegated |
|
View users' basic profile |
| offline_access |
|
Delegated |
|
Maintain access to data you have given it access to |
| openid |
|
Delegated |
|
Sign users in |
| User.Read |
|
Delegated |
|
Sign in and read user profile |
| Group.Read.All |
|
Application |
|
Read all groups |
| GroupMember.Read.All |
|
Application |
|
Read all group memberships |
| User.Read.All |
|
Application |
|
Read all users' full profiles |
Delegated permissions are required during sign-in.
Application permissions are required during configuration of access to Azure Active Directory in the Workspace administration.
- Groups are retrieved and listed so they can be mapped to an access level in Workspace.
- Group members are read from groups that have been mapped to an access level, when a synchronization is run. A group member’s ID, principal name, display name and given name are saved to a user in Workspace. The ID is used upon re-synchronization and to retrieve a Workspace user’s profile photo. The principal name is assumed to be the member’s email and is used after their ID token has been validated to verify that a user exists in Workspace. The display name is shown throughout Workspace. The given name is used to greet the user in Workspace.
- All users are read in order for a given Workspace user to view other users' information (such as their profile photo).