microsoft
/
Microsoft365DSC
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Страница: Permissions
Страницы
AADApplication AADConditionalAccessPolicy AADGroup AADGroupLifecyclePolicy AADGroupsNamingPolicy AADGroupsSettings AADMSGroup AADMSGroupLifecyclePolicy AADNamedLocationPolicy AADPolicy AADRoleDefinition AADServicePrincipal AADTenantDetails AADTokenLifetimePolicy Assessing Automating Breaking Changes Policy Contribute to Microsoft365dsc.com Develop a New Resource EXOAcceptedDomain EXOActiveSyncDeviceAccessRule EXOAddressBookPolicy EXOAddressList EXOAntiPhishPolicy EXOAntiPhishRule EXOApplicationAccessPolicy EXOAtpPolicyForO365 EXOAvailabilityAddressSpace EXOAvailabilityConfig EXOCASMailboxPlan EXOClientAccessRule EXODkimSigningConfig EXOEmailAddressPolicy EXOGlobalAddressList EXOHostedConnectionFilterPolicy EXOHostedContentFilterPolicy EXOHostedContentFilterRule EXOHostedOutboundSpamFilterPolicy EXOHostedOutboundSpamFilterRule EXOInboundConnector EXOIntraOrganizationConnector EXOJournalRule EXOMailTips EXOMailboxSettings EXOMalwareFilterPolicy EXOMalwareFilterRule EXOManagementRole EXOMobileDeviceMailboxPolicy EXOOfflineAddressBook EXOOnPremisesOrganization EXOOrganizationConfig EXOOrganizationRelationship EXOOutboundConnector EXOOwaMailboxPolicy EXOPartnerApplication EXOPolicyTipConfig EXORemoteDomain EXORoleAssignmentPolicy EXOSafeAttachmentPolicy EXOSafeAttachmentRule EXOSafeLinksPolicy EXOSafeLinksRule EXOSharedMailbox EXOSharingPolicy EXOTransportRule Exporting Getting Started Home How to Create a M365DSC Blueprint IntuneAppConfigurationPolicy IntuneAppProtectionPolicyiOS IntuneDeviceCategory IntuneDeviceCompliancePolicyAndroid IntuneDeviceCompliancePolicyAndroidWorkProfile IntuneDeviceCompliancePolicyMacOS IntuneDeviceCompliancePolicyWindows10 IntuneDeviceCompliancePolicyiOs IntuneDeviceConfigurationPolicyAndroidWorkProfile IntuneDeviceConfigurationPolicyWindows IntuneDeviceConfigurationPolicyWindows10 IntuneDeviceConfigurationPolicyiOS IntuneDeviceEnrollmentLimitRestriction IntuneDeviceEnrollmentPlatformRestriction Known Issues Monitoring O365AdminAuditLogConfig O365Group O365OrgCustomizationSetting O365User ODSP Permissions ODSettings PPPowerAppsEnvironment PPTenantSettings Permissions PlannerBucket PlannerPlan PlannerTask Reporting Resources List SCAuditConfigurationPolicy SCCaseHoldPolicy SCCaseHoldRule SCComplianceCase SCComplianceSearch SCComplianceSearchAction SCComplianceTag SCDLPCompliancePolicy SCDLPComplianceRule SCDeviceConditionalAccessPolicy SCDeviceConfigurationPolicy SCFilePlanPropertyAuthority SCFilePlanPropertyCategory SCFilePlanPropertyCitation SCFilePlanPropertyDepartment SCFilePlanPropertyReferenceId SCFilePlanPropertySubCategory SCLabelPolicy SCRetentionCompliancePolicy SCRetentionComplianceRule SCRetentionEventType SCSensitivityLabel SCSupervisoryReviewPolicy SCSupervisoryReviewRule SPOAccessControlSettings SPOApp SPOBrowserIdleSignout SPOHomeSite SPOHubSite SPOOrgAssetsLibrary SPOPropertyBag SPOSearchManagedProperty SPOSearchResultSource SPOSharingSettings SPOSite SPOSiteAuditSettings SPOSiteDesign SPOSiteDesignRights SPOSiteGroup SPOSiteScript SPOStorageEntity SPOTenantCDNPolicy SPOTenantCdnEnabled SPOTenantSettings SPOTheme SPOUserProfileProperty Setting up your Environment to Contribute to the Project TeamsCallingPolicy TeamsChannel TeamsChannelTab TeamsChannelsPolicy TeamsClientConfiguration TeamsEmergencyCallRoutingPolicy TeamsEmergencyCallingPolicy TeamsGuestCallingConfiguration TeamsGuestMeetingConfiguration TeamsGuestMessagingConfiguration TeamsMeetingBroadcastConfiguration TeamsMeetingBroadcastPolicy TeamsMeetingConfiguration TeamsMeetingPolicy TeamsMessagingPolicy TeamsPstnUsage TeamsTeam TeamsTenantDialPlan TeamsUpgradeConfiguration TeamsUpgradePolicy TeamsUser TeamsVoiceRoute TeamsVoiceRoutingPolicy Troubleshooting What is Microsoft365DSC
3 Permissions
Yorick Kuijs редактировал(а) эту страницу 2021-12-15 08:51:07 +01:00
Содержание

Using Graph permissions

Microsoft365DSC is using several other modules to connect to Microsoft 365, for example the MicrosoftTeams or PnP Powershell modules. Some of the resources are using Microsoft Graph API modules, like the Intune and the (recently converted) Azure Active Directory resources. The idea for Microsoft365DSC is that all modules will be converted to use the Graph API modules as soon as they are available for that workload. This means authentication will be consistent across all workload and at the same time has to follow the authentication possibilities of the Graph API.

Authentication and permissions

The Graph API has two different authentication implementations:

  1. Delegated permissions: Here a username/password is used to authenticate.

    This option is using an AzureAD app in the background to call the Graph API. However the effective permissions will be the intersection of the delegated permissions and the user privileges. By default, the Graph app has no permissions meaning it can't access anything and therefore won't work. You have to grant these permissions to the app before using them. Consent for these permissions can be given by the user himself or by an admin for all users in the tenant.

    For example: If your account only has permissions on three SharePoint sites, only these sites can be retrieved. Even when the AzureAD app has Sites.FullControll.All permissions granted.

    Microsoft Graph Delegated App

    To update the delegated permissions on the Graph app, you can use the "Update-M365DSCAllowedGraphScopes" cmdlet and specify the resources you are using. This will read the required permissions for those resources and update those on the Graph app.

    NOTE: It is possible to specify your own App registration when using Delegated permissions, but if you don't the generic Graph app is created and used.

  2. Application permissions: Here authentication is done using app credentials (either a secret or certificate).

    This option requires your own app to be registered in Azure AD. You can specify what permissions you want your app to have or even create an app for each workloads if necessary. Effective permissions will always be the granted permissions (an user context does not exist). Only admins can grant these permissions.

    NOTE: This is the easiest option to use.

Microsoft365DSC App

IMPORTANT: Applications with high privileges should be monitored closely. In practice there are advantages to use conditional access policies for these applications to limit access to specific sources or user accounts.

For more information, check these articles:

Home
What is Microsoft365DSC?
Getting Started
Resources List and Examples

Microsoft365DSC Be the Master of your Tenant