Data Access (Application and Delegated permissions)

To work properly, the Learn365 app requires access to users' data. The Learn365 app will request permission to access this data. Consent is granted by admins or non-admin users, depending on the consent type required. 

The Learn365 app uses the Admin consent and Dynamic user consent consent types.

  • For Admin consent, a Microsoft 365 global admin is asked to approve the Application permissions and a set of the Delegated permissions on behalf of all users in the organization. This type of consent is available during Learn365 installation. The list of Admin consent permissions can be found here.
  • For Dynamic user consent, a Microsoft 365 global admin is asked to approve the set of permissions on behalf of a single user. These permissions will be requested dynamically during the configuration of the email account for notifications. Therefore, the email address of a non-admin user must be specified during the configuration of the email account. For example, we request Calendar.FullControl so Learn365 will have that permission for the calendar of the user when the user consents to it. The list of Dynamic user consent permissions can be found here.

TIP   

Dynamic user consent can be performed using Microsoft Graph PowerShell. This can be helpful, for example, when user consent is disabled or restricted by the organization's policies. It can also be applied in cases when an organization, due to its security policy, gives permission to grant the user consent by the exclusively assigned user (account). For detailed information, see Microsoft’s documentation.

The permissions used by Learn365 are Application and Delegated:

  • The Application permissions are used by the app to run without a present, signed-in user, for example, to run as background services. Only a Microsoft 365 global admin can consent to Application permissions.
  • The Delegated permissions are used by the app to run with a present, signed in user. The app is delegated the permission to act as a signed-in user when it makes calls to the target resource. In this case, either user or admin consent is required to consent to the permissions that the app requests.

Data access doesn't enable a Zensai/EFI employee to access your data.

The Learn365 app uses the same authentication infrastructure used by Microsoft 365. Your data is protected by the Microsoft 365 security framework, including multi-factor authentication. The actual sign-in screen is provided and hosted by Microsoft. The Learn365 sign-in process displays identical sign-in screens, and the flow is the same as if you were to sign in to Microsoft 365.

In other words, users can access data within Learn365 based on their existing access rights in Office 365, and can't access data of another user via Learn365. This means that the scope list in the next section won't allow users to see more data than what they're allowed to see in Microsoft 365. For instance, the SharePoint Sites.Read.All scope will allow users to see only the SharePoint data they have access to in SharePoint. It won't allow users to see all data in all sites in SharePoint because the data remains governed by SharePoint.

Regardless of the user interface (the screens provided by SharePoint or the screens provided by the Learn365 app), users will be able to access only the data they have access to within SharePoint. SharePoint is governed by the Microsoft 365 sign-in infrastructure so the data can't be accessed by users other than those who have access to your Microsoft 365 tenant.

The Learn365 app uses access scopes provided by the data providers. In the following sections, you'll find the scope list that Learn365 may use.

 

Admin consent permissions

Application permissions

The Users page in the Learn365 Admin Center is where the detailed information on each user of the current course catalog is presented and managed. To provide this level of detail, Learn365 regularly checks Microsoft Graph and synchronizes this data with the Learn365 application.

To read Microsoft Graph, Learn365 uses the following Application scoped permissions:

  • Read all group memberships (claim value=GroupMember.Read.All) — allows the Learn365 app to expand Azure Active Directory group members and Office 365 groups, which is necessary to enroll groups of users in training.
  • Read all users' full profile (claim value=User.Read.All) — Learn365 synchronizes Account Name, Display Name, Email, Department, Job Title, Office, Country, City, Manager ID/Email. This permission allows the Learn365 app to read the full user profile, to define users' managers in order to build the hierarchy reports, to search and filter users' data on the Users page.

 

Delegated permissions

  • Read all users' full profile (claim value=User.Read.All) — allows the Learn365 app to read the full profile of currently logged-in users.
  • Sign in and read user profile (claim value=User.Read) — allows users to sign in to the Learn365 app using the customer’s Azure Active Directory. It also allows the app to read the profile and basic company information of the signed-in user.
  • Have full control of all site collections (claim value=AllSites.FullControl) — allows significantly improved tenant provisioning. The global app catalog is used to automate the upload of SPFX and the Learn365 add-in during the Learn365 tenant provisioning. This permission enables Microsoft 365 global admin to create Learn365 course catalogs and the underlying SharePoint site collection from the Global Settings area of the Learn365 Admin Center. For important information about why this permission is required, see this section.
  • Invite guest users to the organization (claim value=User.Invite.All) — allows the Learn365 app to invite external users on behalf of the current logged-in user and is needed to allow a course catalog admin to invite guest users to a course catalog.

    IMPORTANT   

    This only works within the Learn365 application when Azure Active Directory external collaboration is enabled by the Microsoft 365 global admin. Follow these steps to configure external collaboration settings:

SharePoint tenant external sharing settings and site collection external sharing settings are enabled on the site collection hosting the Learn365 catalog.

 

Create course catalogs and site collections with the Have full control of all site collections permission (AllSites.FullControl)

The Have full control of all site collections delegated permission enables Microsoft 365 global admins to create Learn365 course catalogs and the underlying SharePoint site collection from the Global Settings area of the Learn365 Admin Center.

An application that wants to create site collections in SharePoint needs to have the “full control” permission level for all site collections because this permission level allows the application to perform any action on any object in the site collection, including creating new sites. The “full control” permission level is also required to activate or deactivate features, manage permissions, and access the site collection settings.

Without this permission level, the application might encounter errors or limitations when trying to create site collections. For example, the application might not be able to specify the template, quota, or owner of the new site collection. Therefore, having the “full control” permission level for all site collections ensures that the application can create site collections without any issues.

Currently, the ”full control” permission level is the only one that has the capability of creating site collections in SharePoint. Having any lower permission level, such as “contribute”, “read”, or “view only”, won’t enable you to create site collections. To enable Learn365 to create site collections, you’ll need to assign it the “full control” permission level for all site collections.

In this article about delegated access, Microsoft state the following:

"The most important thing to remember about delegated access is that both your client app and the signed-in user need to be properly authorized. Granting a scope isn't enough. If either the client app doesn’t have the right scope, or the user doesn’t have sufficient rights to read or modify the resource, then the call will fail."

 

Dynamic user consent permissions

Delegated Permissions

  • Send mail as a user using SMTP AUTH (claim value=SMTP.Send) — allows the Learn365 app to send notification emails. Permission for this is requested dynamically during the configuration of the email account for notification. The permission is requested for a single user and should be accepted by a common, non-admin user.
  • Access mailboxes as the signed-in user via Exchange Web Services (claim value=EWS.AccessAsUser.All) — allows the Learn365 app to read room lists and rooms. Permission for this is requested dynamically during the configuration of the email account for notification. The permission is requested for a single user and should be accepted by a common, non-admin user.
  • Send mail as a user (claim value=Mail.Send) — allows the Learn365 app to send notification emails. Permission for this is requested dynamically during the configuration of the email account for notification. The permission is requested for a single user and should be accepted by a common, non-admin user.
  • Read and create users' online meetings (claim value=OnlineMeetings.ReadWrite) — allows the Learn365 app to create, read, update, and delete online meeting events. Permission for this is requested dynamically during the configuration of the email account for notification. The permission is requested for a single user and should be accepted by a common, non-admin user.
  • Have full access to user calendars (claim value=Calendars.ReadWrite) — allows the Learn365 app to create, read, update, and delete training events in the connected user's calendar. Permission for this is requested dynamically during the configuration of the email account for notification. The permission is requested for a single user and should be accepted by a common, non-admin user.

Microsoft's overview of Learn365 data access using Microsoft Graph can be found in Microsoft's documentation.

Was this article helpful?
2 out of 2 found this helpful