These permissions are required to allow BindTuning to perform crucial operations in SharePoint/MS Teams resources which are owned by the signed-in user. To perform these operations, through our online application to SharePoint/MS Teams, we use Microsoft Graph gateway.
Some of the crucial operations we do, and for which we require the appropriate permissions are:
- validating the user
- validating if the user can install our products on a selected site
- listing the existing site collections
- validating if a site collection exists
- creating new site collections or sub-sites
- applying templates, upload documents and create lists with content into a site collection
- Creating new teams, channels, and tabs
BindTuning can’t perform any of these operations automatically. And that will compromise the goal for which the BindTuning Online App was ultimately conceived: improve your productivity when installing and updating BindTuning products, ensuring you are always running latest versions.
Microsoft Graph permissions requested, at this moment, by BindTuning Application
Office 365 Tenants
Permission |
Title |
Description |
openid |
Sign users in. |
Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. |
profile |
View users' basic profile. |
Allows the app to see your users' basic profile (name, picture, user name). |
|
View users' email address. |
Allows the app to read your users' primary email address. |
offline_access |
Maintain access to data you have given it access to. |
Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
Sites.Read.All |
Read items in all site collections. |
Allows the application to read documents and list items in all site collections on behalf of the signed-in user. |
Sites.ReadWrite.All |
Edit or delete items in all site collections. |
Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user. |
AppCatalog.ReadWrite.All |
Read and write to all app catalogs. |
Allows the app to create, read, update, and delete apps in the app catalogs. |
Group.ReadWrite.All |
Read and write all groups. |
Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally, allows group owners to manage their groups and allows group members to update group content. |
User.ReadWrite.All |
Read and write all users' full profiles. |
Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
AllSites.FullControl |
Have full control of all site collections. |
Allows the app to have full control of all site collections on behalf of the signed-in user. |
Office 365 for Education Tenants
For Education tenants we also request the following permissions:
Permission |
Title |
Description |
EduAssignments.ReadWrite |
Read and write users' class assignments and their grades. |
Allows the app to read and write assignments and their grades on behalf of the user. |
EduRoster.ReadWrite.All |
Read and write the organization's roster. |
Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written. |
What do we store on our side?
To use Microsoft Graph to read and write resources on behalf of a user, BindTuning Online App must get an access token from the Microsoft identity platform and attach the token to the requests that are sent to Microsoft Graph.
After a user authenticates using the Microsoft identity platform, a refreshed token is stored on Microsoft Azure Key Vault. When the user reinstalls a product, we will use the refreshed token to request a new access token and not request again a new authentication with the request of the permission.
If you're having issues installing any product, the issue may be related with the permissions associated with the refresh token. At this point, you may need to revoke it and request a new token. Here's how:
- Sign in at BindTuning Application
- Go to My Settings > >Office 365 credentials
- Click on "Revoke" for the specific Office 365 account
- Then try to install a new product so a new refresh token can be requested and associated.
Review BindTuning application permissions in your SharePoint/MS Teams tenant
To review and manage the BindTuning application permissions:
- Go to Azure Portal
- Search for “Enterprise application” and click on it
- Search for “BindTuning Provisioning”, on the application list
- Select the app
- Under “Security”, select “Permissions”
References
- Overview of Microsoft Graph: https://docs.microsoft.com/en-us/graph/overview
- Microsoft Graph permissions reference: https://docs.microsoft.com/en-us/graph/permissions-reference
- Microsoft Azure Key Vault: https://docs.microsoft.com/en-us/azure/key-vault/general/overview
Comments