Our Microsoft Entra ID Enterprise application can be installed by a Microsoft Entra ID administrator via the following link. During the installation, the following permissions have to be granted for all users:
The required permissions are:
-
-
- User.ReadBasic.All: Allows users to sign in to deskbird and allows deskbird to read the profiles of signed-in users. Note that deskbird has no access to profile data of the users who have never signed in.
- Group.Read.All: Allows deskbird to read all user groups. This is used, for instance, to import user groups in the admin portal or to sync groups when users sign in.
-
There are four additional standard permissions that are automatically added and don't require admin consent.
-
-
- offline_access: Allows deskbird to use refresh tokens to retrieve data via the Microsoft Graph API.
- email, openid, and profile: Automatically added permissions that grant deskbird similar permissions as user.read but with less profile information.
- The permission type is delegated, meaning that deskbird accesses Graph API as the signed-in user but with access limited by the selected permission.
-
Restriction of permission scope via Application Assignment
Companies can limit the permissions of our Microsoft Entra ID Enterprise Application to only specified users and user groups. This can be done by assigning specific users and user groups to a Microsoft Entra ID Enterprise Application.
-
-
- Assignment to our application can be created in the "Properties" settings by modifying "Assignment required" to "Yes."
- Afterward, only users added to the "Users and groups" section will have permission to sign in to deskbird with their Microsoft accounts.
- Note: this will not assign selected users and user groups to deskbird. To provision users and user groups, you will need a separate Microsoft Entra ID Application for a "SCIM" synchronization.
-