Are requessted Azure AD permissions required for use for sso on third party service

Marcus Tägtström 41 Reputation points
2020-10-19T06:50:33.08+00:00

Hello,

My customer have signed up for a new service and the new service provider want my customer to use their current Microsoft accounts to login (SSO) to their service.

All my customer needs to do to activate SSO from M365 for the new service is to log in to the service providers web page and accept the requested Microsoft Azure permissions with an Microsoft 365 admin account and that should be it.

When I log in on behalf of my customer to the service providers web page I receive quite a long list off requested permissions.
I wounder if everything requested actually are needed for the simple task of using Azure AD for SSO for the new service?

These are the requested permissions:

Access the directory as you
Allows the app to have the same access to information in your work or school directory as you do.

Read directory data
Allows the app to read data in your organization's directory.

Read all groups
Allows the app to list groups, and to read their properties and all group memberships on your behalf. Also allows the app to read calendar, conversations, files, and other group content for all groups you can access.

Read directory RBAC settings
Allows the app to read the role-based access control (RBAC) settings for your company's directory, on your behalf. This includes reading directory role templates, directory roles and memberships.

Sign you in and read your profile
Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information.

Sincerely
Marcus

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,595 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,206 Reputation points
    2020-10-19T08:11:34.293+00:00

    Hello @Marcus Tägtström · Welcome to Q&A Platform and thanks for your query.

    If you just want to sign in to the application, only the "Sign you in and read your profile" permission is required. However, to perform subsequent tasks the application may need additional permissions based on what the application is designed to do.

    For example, if the application is designed to display free/busy schedule of users, it must have at least Calendar.Read permission. Now, this can be achieved with Directory.Read (Read directory data) permission as well but that is not a good practice as it will provide the application to read a lot more information on behalf of the signed in user than what is required. You should always provide minimum required permission to the application.

    I would suggest you to check with the service provider, why below permissions are required as these are very broad permissions and must be carefully reviewed.

    • Access the directory as you
    • Read directory data
    • Read all groups

    If the same task/tasks can be performed with more specific permissions, the service provider must configure the application to request for those permissions.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful