Online Services: Required Application Permissions

This article outlines the permissions required when setting up a DocumentsCorePack or AttachmentExtractor service via DocumentsCorePack Service Configuration or AttachmentExtractor Service configuration

During the service setup you will be asked to grant the following permissions to our application:

Figure 1: Permission requested during service setup

“Consent on behalf of your organization”

This grants the consent for all users and further connections are enabled to use this connection without having to consent on their own.

I do not have an administrator account available

If you are not having access to an administrator account, please have an administrator launch this link and register the application.

https://login.microsoftonline.com/common/oauth2/authorize?resource=https:%2F%2Fdisco.crm.dynamics.com%2F&client_id=cf64f130-739b-4003-9b1f-9d8f3818c4bb&response_type=code&haschrome=1&redirect_uri=http:%2F%2Fwww.mscrm-addons.com&client-request-id=75254dac-02af-4909-b32f-9d76dc98a32e&prompt=login&x-client-SKU=.NET&x-client-Ver=5.0.0.0&x-client-CPU=x64&x-client-OS=Microsoft+Windows+NT+6.2.9200.0

Common Data Service:

• Access to common data service

Required to access your Dynamics 365 data read data for document generation as well as write data back to Dynamics 365.

SharePoint:

• Read and Write your files &
  
• Read and write items in all site collections &
• Read and write items and lists in all site collections

Required to fully use the Dynamics SharePoint integration.
When DocumentsCorePack is linked with Dynamics SharePoint Integration, DocumentsCorePack will create lists, folders & files in the
corresponding SharePoint locations.

• Sign in and read user profile

This is required to log in as the user in Dynamics 365 and also for some of our licensing options.

Why is this needed and what`s the impact?

What is an Application registration?

Why do I need to consent?

consent is required to grant the requested permissions to our application.
The “consent in the name of the organization” option bypasses the need for other further users using our products to individually consent again (i.e. Consent only has to be granted by one user)

Does this breach my security?

Server2Server authentication is not allowing any access without an interactive user login. There is no access granted to any party outside your AzureAD.

Im not using Sharepoint at all. Do i still have to consent?

You need to consent during the installation, but you are free to modify the privileges after the application has been registered.
As we do not know, which sites on Sharepoint are planned to be used, we can only request access to all of them.

Note: Azure active directory already offers template scripts to change those privileges. Please not, that you must confirm the grant again after modifiying the privileges.

In addition, AzureAD has recently added options to manage rights for specific sites via PowerShell.

How can I prevent, that all users have to consent to the application individually?

If you didnt consent during the installation of the application, you can always do so from within AzureActiveDirectory.

Click on the “Grant admin consent to [Your tenant name]” button to grant consent for all users and prevent the requirement for users to individually have to consent to the application.

Helpful ressources:

App-Registration documentation from Microsoft:

• https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#application-object
• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added

Server2Server/OAuth/ModernAuthentication documentation from Microsoft:

• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
• https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

That’s it! We appreciate your feedback! Please share your thoughts by sending an email to support@mscrm-addons.com