EIOBoard makes calls to the Microsoft Graph API to receive information about users in your organizations. It is required that you grant consent for the following set of permissions.
Note that some permissions appear twice as either Delegated or Application. The distinction is that EIOBoard uses Application level permissions to get user info and group info when Syncing users. The Delegated permissions are used to validate a user when they use the Microsoft Authentication for Single Sign On.
As an Administrator, you can grant permission on behalf of your organization. If any of these permissions change, you will be notified and required to grant permission again.
You can view these permissions from the Azure AD portal after giving consent. To do so, log into your Azure AD portal as an admin and navigate to Enterprise Applications:
EIOBoard will be listed:
Select it and then select Permissions:
If there are issues you may need to provide admin consent again. You can do so by clicking “Grant admin consent for <you org>”.
You can revoke these permissions by navigating to the Application’s Properties and Deleting the Application.
Doing so will cause the integration to stop functioning, however, and may cause problems. The integration may need to be re-added in EIOBoard to restore functionality.
API Calls That Are Made
You can try these API calls yourself using the Microsoft Graph Explorer:
- This is the Microsoft Oauth2.0 endpoint.
- It is used to log users and admins into their Microsoft accounts.
- This is used for Single Sign On, after a user has logged in with their Microsoft credentials. This matches the User’s ID in EIOBoard and is to make sure the user has been Synchronized with EIOBoard.
- The result of this API call looks like this:
- This retrieves the list of Groups in your organization.
- This gets the members of a Group.
- These will be used if the Sync User Photos option is turned on to get the user’s profile picture when Syncing Users.