This article outlines the required application permissions for online services when setting up a DocumentsCorePack or AttachmentExtractor service via DocumentsCorePack Service Configuration or AttachmentExtractor Service configuration
During the service setup you will be asked to grant the following permissions to our application:
Consent on behalf of your organization
This grants the consent for all users to use this connection without having to consent on their own
Note: Requires global or application administrator role in Entra
I do not have an administrator account available
If you do not have access to an administrator account, please have an administrator launch this link and register the application.
https://login.microsoftonline.com/common/oauth2/authorize?resource=https:%2F%2Fdisco.crm.dynamics.com%2F&client_id=cf64f130-739b-4003-9b1f-9d8f3818c4bb&response_type=code&haschrome=1&redirect_uri=http:%2F%2Fwww.mscrm-addons.com&client-request-id=75254dac-02af-4909-b32f-9d76dc98a32e&prompt=login&x-client-SKU=.NET&x-client-Ver=5.0.0.0&x-client-CPU=x64&x-client-OS=Microsoft+Windows+NT+6.2.9200.0
Common Data Service:
- Access to common data service
Required to access your Dynamics 365 data read data for document generation as well as write data back to Dynamics 365.
SharePoint:
- Read and write your files,
- Read and write items in all site collections &
- Read and write items and lists in all site collections
Required to fully use the Dynamics SharePoint integration. When DocumentsCorePack is linked with Dynamics SharePoint Integration, DocumentsCorePack will create lists, folders & files in the
corresponding SharePoint locations.
- Sign in and read user profile
This is required to log in as the user in Dynamics 365 and for some of our licensing options.
What is an application registration?
The application registration defines the privileges of the user during the login. This Application does not have any components and does not interact with anything outside of your AzureActiver Directory.
You can find details about your registered applications within the Enterprise Application section in your AzureActiveDirectory.
Why do I need to consent?
Consent is required to grant the requested permissions to our application. The consent in the name of the organization option bypasses the need for other further users using our products to individually consent again (i.e. Consent only has to be granted by one user).
Does this breach my security?
Server2Server authentication does not allow any access without an interactive user login. There is no access granted to any party outside of your AzureAD.
I’m not using Sharepoint at all. Do I still have to consent?
You need to consent during the installation, but you are free to modify the privileges after the application has been registered. As we do not know which sites on Sharepoint are planned to be used, we can only request access to all of them.
Please note: Azure active directory already offers template scripts to change those privileges. You must confirm the grant again after modifying the privileges.
In addition, AzureAD has recently added options to manage rights for specific sites via PowerShell.
How can I prevent all users having to consent to the application individually?
If you didn’t consent during the installation of the application, you can always do so from within AzureActiveDirectory.
Click on the Grant admin consent to [Your tenant name] button to grant consent for all users and prevent the requirement for users to individually have to consent to the application.
Helpful resources:
App-Registration documentation from Microsoft:
Server2Server/OAuth/ModernAuthentication documentation from Microsoft:
- OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform
- Microsoft identity platform and OAuth 2.0 authorization code flow
That’s it! We appreciate your feedback! Please share your thoughts by sending an email to support@mscrm-addons.com.