Azure Active Directory is Microsoft’s cloud-based identity and access management service that helps your employees to sign in and access resources such as LMS365.
It requires the consents, which are accepted by Users and Administrators for getting access to all the resources and data. After the signing in process, it will be determined automatically whether the user needs to be shown a consent page. There are two main types of consents:
- Static user consent, which occurs during the authorization when the users will access the content needed;
- Admin consent, which occurs right after static user consent. This type of consent requires the Office 365 Global Administrator to approve the list of permissions the LMS365 App requires.
Accepting Consent (Pre-Consenting)
An Office 365 Global Administrator has to grant LMS365 consent allowing the LMS365 App to access all defined resources on behalf of each user without LMS365 having to ask the user for consent. Additionally, it will unblock the scenarios where the user can not provide consent, such as for example access to the user's lists and libraries in SharePoint Online. Learn more about the access scopes supported by LMS365 on the dedicated Data Access page.
Why do Users provide consent?
Every time the App wants/needs access to specific data in Office 365 for the first time it needs to ask the user for permission to access that data. So for instance, if the App wants to read data from SharePoint it will have to ask the user if it is allowed to access the user's data in SharePoint. The user can agree to this by providing consent for accessing his or her data in SharePoint. This consent experience is provided by the data source - in this case by Office 365.
Why would administrators want to provide Admin Consent?
By providing an Admin Consent to LMS365 the admin will remove the need for all users within that Office 365 tenant to have to accept consent each time, and as such will be more productive by saving each and every user having to individually consent for each resource separately. It will also reduce the questions users might ask in connection to dealing with the individual consent request they will face during their interaction with LMS365.
What is the risk of doing this?
We can actually not identify any risk by providing Admin Consent. In case you want to recall your Admin Consent, you can always use the Azure AD portal to revoke any consent.
Should all Administrators do this?
If you are a larger organization you might find it annoying that all users have to individually consent to the App accessing the user's data for each data resource in Office 365. Accepting Admin Consent also has an economic aspect as you will save the organization quite some time if you add up the few minutes each user can save by having the resources they need pre-consented. So basically the larger your organization the more value doing an Admin Consent will bring. But we would recommend doing this in all sizes of organizations as it just makes users more productive.
How do Administrators provide Admin Consent?
There are two options to provide consent, when installing the LMS365 (Modern) from the AppSource portal you will be asked to provide consent during the installation as well as when first using the Course Catalog. If you are accepting Admin Consent on an existing Classic Add-in Installation you can visit https://lms.365.systems and you will be asked to accept consent.
As an Administrator, I might not want to consent to all scopes?
Although we understand that in your organization you might not want to accept Admin Consent, and in particular the consent: 'Have full control of all site collections', the current Microsoft Azure AD architecture for providing Admin Consent is restricted to one single consent flow, meaning that we as the developers of the App can only offer one Admin Consent flow for all customers. But please note, the consent is 'Delegated' meaning that the user who is using LMS365 cannot access data or manage SharePoint any more than he or she already can in SharePoint directly. In other words, although the consent states 'Have full control' it is no more than the control the user already has.
We are actively working with Microsoft on being able to improve this scenario and be able to use a finer, more tuned scope and not being forced to consent to all as it stands today.
Managing Consent in Azure
Visit https://portal.azure.com > 'Enterprise Application' to verify what permissions have already been granted for the LMS365 App. This is also where you can revoke the permissions for the LMS365 App.