Data Access (Application and Delegated permissions)

To work properly, the LMS365 app requires access to users' data. The LMS365 app will request permission to access this data. Consent is granted by by admins or non-admin users, depending on the consent type required. 

The LMS365 app uses the Admin consent and Dynamic user consent consent types.

  • For Admin consent, a Microsoft 365 global administrator is asked to approve the Application permissions and a set of the Delegated permissions on behalf of all users in the organization. This type of consent is available during LMS365 installation. The list of Admin consent permissions can be found here.
  • For Dynamic user consent, a Microsoft 365 global administrator is asked to approve the set of permissions on behalf of a single user. These permissions will be requested dynamically during the configuration of the email account for notifications. Therefore, the email of a non-admin user must be specified during the configuration of the email account. For example, we request Calendar.FullControl so LMS365 will have that permission for the calendar of the user when the user consents to it. The list of Dynamic user consent permissions can be found here.

TIP   

Dynamic user consent can be performed using Microsoft Graph PowerShell. This can be helpful, for example, when user consent is disabled or restricted by the organization's policies. It can also be applied in cases when an organization, due to its security policy, gives permission to grant the user consent by the exclusively assigned user (account). For detailed information, please see Microsoft’s documentation.

The permissions used by LMS365 are Application and Delegated:

  • The Application permissions are used by the app to run without a present, signed-in user, for example, to run as background services. Only a Microsoft 365 global administrator can consent to Application permissions.
  • The Delegated permissions are used by the app to run with a present, signed in user. The app is delegated the permission to act as a signed-in user when it makes calls to the target resource. In this case, either user or administrator consent is required to consent to the permissions that the app requests.

Data access does not enable an ELEARNINGFORCE employee to access your data.

The LMS365 app uses the same authentication infrastructure used by Microsoft 365. Your data is protected by the Microsoft 365 security framework, including multi-factor authentication. The actual sign-in screen is provided and hosted by Microsoft. The LMS365 sign-in process displays identical sign-in screens, and the flow is the same as if you were to sign in to Microsoft 365.

In other words, users can access data within LMS365 based on their existing access rights in Office 365, and can't access data of another user via LMS365. This means that the scope list in the next section will not allow users to see more data than what they are allowed to see in Microsoft 365. For instance, the SharePoint Sites.Read.All scope will allow users to see only the SharePoint data they have access to in SharePoint. It will not allow users to see all data in all sites in SharePoint because the data remains governed by SharePoint.

Regardless of the user interface (the screens provided by SharePoint or the screens provided by the LMS365 app), users will be able to access only the data they have access to within SharePoint. SharePoint is governed by the Microsoft 365 sign-in infrastructure so the data can't be accessed by users other than those who have access to your Microsoft 365 tenant.

The LMS365 app uses access scopes provided by the data providers. Below, you can find the scopes list LMS365 may use.

 

Admin consent permissions

Application permissions

The Users page in the LMS365 Admin Center is where the detailed information on each user of the current course catalog is presented and managed. To provide this level of detail, LMS365 regularly checks Microsoft Graph and synchronizes this data with the LMS365 application. 

To read Microsoft Graph, LMS365 uses the following Application scoped permissions:

  • Read all group memberships (claim value=GroupMember.Read.All) — allows the LMS365 app to expand Azure Active Directory group members and Office 365 groups, which is necessary to enroll group(s) of users in trainings. 
  • Read all directory RBAC (Role-Based Access Control) settings (claim value=RoleManagement.Read.Directory) — the LMS365 app needs to be able to read the roles a user has and find out whether they are a Microsoft 365 global administrator and/or a SharePoint administrator. Processes such as installation of LMS365 and assigning LMS365 administrators can be performed only by an Microsoft 365 global administrator. This permission allows the LMS365 app to get a SharePoint domain during tenant provisioning. The domain is used for URL construction. 
  • Read all users' full profile (claim value=User.Read.All) — LMS365 synchronizes Account Name, Display Name, Email, Department, Job Title, Office, Country, City, Manager ID/Email. This permission allows the LMS365 app to read the full user profile, to define users' managers in order to build the hierarchy reports, to search and filter users' data on the Users page.

Delegated permissions

  • Read all users' full profile (claim value=User.Read.All) — allows the LMS365 app to read the full profile of currently logged-in users.
  • Sign in and read user profile (claim value=User.Read) — allows users to sign in to the LMS365 app using the customer’s Azure Active Directory. It also allows the app to read the profile and basic company information of the signed-in user.
  • Have full control of all site collections (claim value=AllSites.FullControl) — allows significantly improved tenant provisioning. The global app catalog is used to automate the upload of SPFX and the LMS365 add-in during the LMS365 tenant provisioning. This permission allows Microsoft 365 global administrators to create LMS365 course catalogs and the underlying SharePoint site collection from the Global Settings area of the LMS365 Admin Center.
  • Invite guest users to the organization (claim value=User.Invite.All) — allows the LMS365 app to invite external users on behalf of the current logged-in user and is needed to allow a course catalog administrator to invite guest users to a course catalog.

    IMPORTANT   

    This only works within the LMS365 application when Azure Active Directory external collaboration is enabled by the Microsoft 365 global administrator. Follow these steps to configure external collaboration settings:

SharePoint tenant external sharing settings and site collection external sharing settings are enabled on the site collection hosting the LMS365 catalog.

 

Dynamic user consent permissions

Delegated Permissions

  • Send mail as a user using SMTP AUTH (claim value=SMTP.Send) — allows the LMS365 app to send notification emails. Permission for this is requested dynamically during the configuration of the email account for notification. The permission is requested for a single user and should be accepted by a common, non-admin user.
  • Access mailboxes as the signed-in user via Exchange Web Services (claim value=EWS.AccessAsUser.All) — allows the LMS365 app to read room lists and rooms. Permission for this is requested dynamically during the configuration of the email account for notification. The permission is requested for a single user and should be accepted by a common, non-admin user.
  • Send mail as a user (claim value=Mail.Send) — allows the LMS365 app to send notification emails. Permission for this is requested dynamically during the configuration of the email account for notification. The permission is requested for a single user and should be accepted by a common, non-admin user.
  • Read and create users' online meetings (claim value=OnlineMeetings.ReadWrite) — allows the LMS365 app to create, read, update, and delete online meeting events. Permission for this is requested dynamically during the configuration of the email account for notification. The permission is requested for a single user and should be accepted by a common, non-admin user.
  • Have full access to user calendars (claim value=Calendars.ReadWrite) — allows the LMS365 app to create, read, update, and delete training events in the connected user's calendar. Permission for this is requested dynamically during the configuration of the email account for notification. The permission is requested for a single user and should be accepted by a common, non-admin user.

Microsoft's overview of LMS365 data access using Microsoft Graph can be found in Microsoft's documentation.

Was this article helpful?
1 out of 1 found this helpful