elearningforce logo

Permissions for App Authorization

Overview

The LMS365 Azure application requires permissions to the following Microsoft API's:

  • Office 365 SharePoint Online
  • Microsoft Graph
  • Windows Azure Active Directory

The required permissions are divided into two groups:

  • Application Permissions – this is what the LMS365 application is allowed to do within customer’s tenant without a signed in user
  • Delegated Permissions – this what the LMS365 application is allowed to do within the customer’s tenant on behalf of the signed-in user

Office 365 SharePoint Online

Application Permissions

Permission

The Reason it is required

Have full control of all site collections

Required to create courses and manage permissions within LMS365 courses. An LMS365 course is a SharePoint site so to keep integrity and consistency we synchronize LMS365 and SharePoint. Only LMS365 sites affected.

 Note:

The LMS365 application only operates in the Site Collection(s) it is installed in. 

Delegated Permissions

Permission

The Reason it is required

Read user files

To allow the signed in users to Read the documents used in the Learning Modules

Have full control of all site collections

This is required to allow the Administrator(s) to create Course Catalog site(s). (Communication sites cannot be created under app access token)

Read and write items and lists in all site collections

Required to upload documents in the Learning Module Builder

 Note:

The LMS365 application only operates in the Site Collection(s) it is installed in.

 

Microsoft Graph

Application Permissions

Permission

The Reason it is required

Read all users' full profiles

It is required for users’ profiles synchronization, to show actual data in the Learner list.

It is required to identify whether the current user is a global administrator

Read directory data

It is required to read the Azure AD groups membership during synchronization LMS365 permissions.

 

 

 

Delegated Permissions

Permission

The Reason it is required

Read all users’ basic profiles

It is required to read the profile of the current signed-in user

Read all users’ full profiles

It is required to read the profile of the current signed-in user. Such as Email, First Name, Last Name etc

Read directory data

It is required to read the group membership, read the current user Azure role (and obtain if it is a tenant admin).

 

 

Windows Azure Active Directory

Delegated Permissions

Permission

The Reason it is required

Sign-in and read user profile

It is required to successful sign-in to the LMS365 using customer’s Azure AD