1. Home
  2. Knowledge Base
  3. Cloud-Hosted Server
  4. Azure Active Directory
  5. What Security Permissions Does the EIOBoard Azure Active Directory Integration Require?

What Security Permissions Does the EIOBoard Azure Active Directory Integration Require?

EIOBoard makes calls to the Microsoft Graph API to receive information about users in your organizations. It is required that you grant consent for the following set of permissions.

Security Permissions Required By EIOBoard Azure AD Integration

 

Note that some permissions appear twice as either Delegated or Application. The distinction is that EIOBoard uses Application level permissions to get user info and group info when Syncing users. The Delegated permissions are used to validate a user when they use the Microsoft Authentication for Single Sign On.

 

As an Administrator, you can grant permission on behalf of your organization. If any of these permissions change, you will be notified and required to grant permission again.

Where to Find the EIOBoard App Permissions within Azure

You can view these permissions from the Azure AD portal after giving consent. To do so, log into your Azure AD portal as an admin and navigate to Enterprise Applications:

 

EIOBoard will be listed:

EIOBoard's Azure Integration Listing

Select it and then select Permissions:

Permissions Granted to EIOBoard by Azure

If there are issues you may need to provide admin consent again. You can do so by clicking “Grant admin consent for <you org>”.

 

You can revoke these permissions by navigating to the Application’s Properties and Deleting the Application.

Azure's EIOBoard Integration Properties Page

Doing so will cause the integration to stop functioning, however, and may cause problems. The integration may need to be re-added in EIOBoard to restore functionality.

API Calls That Are Made

You can try these API calls yourself using the Microsoft Graph Explorer:

https://developer.microsoft.com/en-us/graph/graph-explorer

 

  • https://login.microsoftonline.com/organizations/v2.0
  • https://graph.microsoft.com/v1.0/me
    • This is used for Single Sign On, after a user has logged in with their Microsoft credentials. This matches the User’s ID in EIOBoard and is to make sure the user has been Synchronized with EIOBoard.
    • The result of this API call looks like this:
      Graph API Call Made for SSO
  •  https://graph.microsoft.com/v1.0/groups?$select=id,displayName
    • This retrieves the list of Groups in your organization.
  • https://graph.microsoft.com/v1.0/groups/{groupId}/members{filter}
    • This gets the members of a Group.
  • https://graph.microsoft.com/v1.0/users/{userId}/photo/$value
  • https://graph.microsoft.com/v1.0/users/{userId}/photos/{size}x{size}/$value
    • These will be used if the Sync User Photos option is turned on to get the user’s profile picture when Syncing Users.
Was this article helpful?

Related Articles

Need Support?

Can't find the answer you're looking for?
Contact Support