Is it possible to grant access to jira-user with abilty to read all administration area (user, groups, permission scheme), but disable write permissions?
No, but you can have JIRA Administrators (which have less permission than a JIRA System Administrator). More details here.
Related
I'm setting up permissions for a new app I registered and saw this blurb:
These are the permissions that this application requests statically. You may also request user consent-able permissions dynamically through code.
Can an app dynamically request more permissions than what is given statically?
The concern is that this app is developed by a third-party service provider and we don't wish the app to request more permissions that what is listed. Yes, we understand the user has to consent. We know a good portion of users will just accept without reading and/or understanding what is being requested. We wish to restrict the permissions the app can request.
With Azure AD V2, you are not able to restrict the permissions.But users will be asked to consent if new permissions were required, and if the permission is admin consent required, then only the admin can consent. So, basically that will not be a big problem.
At the same time, you can always check the granted permissions in Azure Portal. Click: Azure Active Directory -> Enterprise applications -> Search with app name, and you will find the application. You will be able to check the granted permission and the operators.
My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant
I want to add Device.Read and Device.Command permissions to Graph Explorer. When I open the permissions and add them I'm told I need admin approval, although these specific permissions do not require approval. I want to add these permissions without taking away existing admin approvals. How do I do this?
I have created an app in https://apps.dev.microsoft.com portal with name GroupsApp and I have given couple of permissions as below:
I have created client id and secret to use in my application. I am using asp.net MVC (with 4.5.1 .net framework) web application.
I am getting some groups info and displaying on the screen. If I am logged with my account it is working fine. But if I logged in as another user then it is giving me issue as below:
I have formatted url as below: https://login.microsoftonline.com/948894dc-c0e2-43e5-a7e6-1d21dd183c9d/oauth2/authorize?client_id=75acb700-e675-4dc4-9deb-d3f68f6911a1&response_type=code&redirect_uri=http://localhost:34280&prompt=admin_consent and trying to granted the permission. Here I have logged in as admin and given permissions.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
I could encounter the same issue according to your settings. I assumed that you may hit the Admin-restricted scopes of AAD v2.0 as follows:
Some high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted. Examples of these kinds of scopes include the following permissions:
Read an organization's directory data by using Directory.Read
Write data to an organization's directory by using Directory.ReadWrite
Read security groups in an organization's directory by using Groups.Read.All
Although a consumer user might grant an application access to this kind of data, organizational users are restricted from granting access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they are not authorized to consent to your app's permissions.
You could Using the admin consent endpoint and follow this Build an app with admin restricted scopes using the v2.0 endpoint github code sample to ensure your app can gather permissions for all users in a tenant, including admin-restricted scopes.
What is the minimum set of permissions require in AAD App to access graph API -checkMemberGroups ?
Here are the list of permissions I tried with. Can this set be reduced any further? And am I missing any mandatory permissions?
Delegated Permissions -
Microsoft Graph API
Read all users' full profiles
Read all groups
Access directory as the signed in user
Sign in and read user profile
Windows Azure Active Directory
Read all users' full profiles
Read all groups
Access directory as the signed in user
Sign in and read user profile
If you were developing checkMemberGroups with Microsoft Graph, there is no need to config the corresponding permission for the Windows Azure Active Directory.
And to call the this API, if you have granted the User.Read.All, there is no need to grant other three permission. As the document mentioned that One of the scopes is required.
It depends on the type of data you want to get from Graph. If you just want to sign in the end user and get their basic profile info, you can simply set Sign in and read user profile.
Each scope relates to some data or endpoint you want to access. Figure out that list of data your scenario requires, then compare that with the scopes.
After some experimentation, it seems that the minimum permissions are the following:
/me/checkMemberGroups
User.Read
GroupMember.Read.All
/users/{userId}/checkMemberGroups
User.ReadBasic.All
GroupMember.Read.All