Why do I need to accept BindTuning permissions request to install products?

These permissions are required to allow BindTuning to perform crucial operations in SharePoint resources which are owned by the signed-in user. To perform these operations, through our online application to SharePoint, we use Microsoft Graph gateway.

Some of the crucial operations we do, and for which we require the appropriate permissions are:

  • validating the user
  • validating if the user can install our products on a selected site
  • listing the existing site collections
  • validating if a site collection exists
  • creating new site collections or sub-sites
  • applying templates, upload documents and create lists with content into a site collection

BindTuning can’t perform any of these operations automatically. And that will compromise the goal for which the BindTuning Online App was ultimately conceived: improve your productivity when installing and updating BindTuning products, ensuring you are always running latest versions.

 

Microsoft Graph permissions requested, at this moment, by BindTuning Application

blobid0.jpg

Office 365 Tenants

Permission

Title

Description

openid

Sign users in.

Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information.

profile

View users' basic profile.

Allows the app to see your users' basic profile (name, picture, user name).

email

View users' email address.

Allows the app to read your users' primary email address.

offline_access

Maintain access to data you have given it access to.

Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.

Sites.Read.All

Read items in all site collections.

Allows the application to read documents and list items in all site collections on behalf of the signed-in user.

Sites.ReadWrite.All

Edit or delete items in all site collections.

Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user.

AppCatalog.ReadWrite.All

Read and write to all app catalogs.

Allows the app to create, read, update, and delete apps in the app catalogs.

Group.ReadWrite.All

Read and write all groups.

Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally, allows group owners to manage their groups and allows group members to update group content.

User.ReadWrite.All

Read and write all users' full profiles.

Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

AllSites.FullControl

Have full control of all site collections.

Allows the app to have full control of all site collections on behalf of the signed-in user.

Office 365 for Education Tenants

For Education tenants we also request the following permissions:

Permission

Title

Description

EduAssignments.ReadWrite

Read and write users' class assignments and their grades.

Allows the app to read and write assignments and their grades on behalf of the user.

EduRoster.ReadWrite.All

Read and write the organization's roster.

Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written.

 

What do we store on our side?

To use Microsoft Graph to read and write resources on behalf of a user, BindTuning Online App must get an access token from the Microsoft identity platform and attach the token to the requests that are sent to Microsoft Graph.

After a user authenticates using the Microsoft identity platform, a refreshed token is stored on Microsoft Azure Key Vault.  When the user reinstalls a product, we will use the refreshed token to request a new access token and not request again a new authentication with the request of the permission.

If you're having issues installing any product, the issue may be related with the permissions associated with the refresh token. At this point, you may need to revoke it and request a new token. Here's how:

blobid1.jpg

 

Review BindTuning application permissions in your SharePoint tenant

To review and manage the BindTuning application permissions:

  • Go to Azure Portal
  • Search for “Enterprise application” and click on it
  • Search for “BindTuning Provisioning”, on the application list
  • Select the app
  • Under “Security”, select “Permissions”

blobid2.jpg

blobid3.jpg

 

 

References

Have more questions? Submit a request

Comments

Powered by Zendesk