Follow

WorkPoint 365 Permission Requirements

Article published on the 2nd of December 2020.

1. Introduction

During installation of WorkPoint and for certain functionalities of WorkPoint to function, a series of consents to various permissions for WorkPoint's APIs are required.

This article aims to provide information about the various consents that WorkPoint requires, as well as information on what you consent to, and what WorkPoint's Apps and API's can do with the permissions granted.

Note that WorkPoint offers a version of the WorkPoint App with tenant rights. You can read more about this app in this article.

2. Permissions

The following sections describe the different permissions related to WorkPoint 365.

2.1. WorkPoint App Permissions

Where can I manage the WorkPoint App permissions?

When the WorkPoint App is added to the the tenant app catalog in SharePoint, an administrator needs to trust a set of permissions for the app. These appear in the following window:

Your Apps - Google Chrome

By clicking the "Trust it" button, the administrator consents to grant the WorkPoint app the permissions mentioned.

Why do I need to grant the WorkPoint App Permissions?

Granting the WorkPoint App the requested permissions is required for WorkPoint to perform requests against SharePoint. The permissions are explained in the next section. Adding the app to the tenant app catalog is required to be able to either deploy the app to all site collections automatically or to add it to individual site collections. If you choose not to deploy automatically, the app can be deployed manually to only the site collections you choose. Thereby, the permissions only apply to the site collections where the WorkPoint app is located.

2.2. WorkPoint Enterprise Application Permissions

Where can I consent to the WorkPoint Enterprise Application permissions?

You can consent to the WorkPoint Enterprise Application permissions (Tenant administrator app) from the WorkPoint 365 Administration:

App Management - Google Chrome
  1. In the left side menu of the WorkPoint 365 Administration, click "App Management".
App Management - Google Chrome
  1. In the App Management page, click the "Tenant administrator app consent" button. Then follow the instructions.

Why do I need to grant the WorkPoint Enterprise Application permissions?

The WorkPoint Enterprise Application permissions are required for WorkPoint to be able to provision new site collections, and thereby automatically scale the solution. Omitting to grant these permissions also means that some WorkPoint functionality will be limited.

If an organization does not want to grant this consent, it is still possible to create site collections and use e.g. the One site collection per entity architecture in WorkPoint, however, creation of site collections for these purposes would need to be done manually.

What will I consent to?

You will consent to allow the Enterprise Application to access the following resources in your organization.

Read and write all groups

This permission allows WorkPoint to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. It also allows WorkPoint to read and write group calendar and conversations. All of these operations can be performed by WorkPoint without a signed-in user.

This permission is of type "Application". This means that the app itself may act for this particular permission.

Read and write managed metadata

This permission allows WorkPoint to write enterprise managed metadata and to read basic site info without a signed in user.

This permission is of type "Application". This means that the app itself may act for this particular permission.

Have full control of all site collections

This permission allows WorkPoint to have full control of all site collections without a signed in user.

This permission is of type "Application". This means that the app itself may act for this particular permission.

Sign in and read user profile

This permission allows users to sign in to the app and allows WorkPoint to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

This permission is of type "Delegated". This means that the app may act on behalf of a user as the user him or herself for this particular permission.

Read directory data

Allows WorkPoint to read data in your company directory, such as users, groups, and apps.

This permission is of type "Application". This means that the app itself may act for this particular permission.

Review and remove permission

When signed up you can always review permissions of the API or remove the permissions to the organization’s directory here:

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps

2.3. WorkPoint APIs

2.3.1. WorkPoint 365 Web API Permissions

Where can I give consent to the WorkPoint 365 Web API?

You can give consent to the API by navigating to this link:

https://wp365webapi.azurewebsites.net/

Office 365 Global Administrator privileges are required in order to complete the consent process.

Why do I need to grant the WorkPoint 365 Web API Permissions?

You only need the WorkPoint 365 Web API if you also have WorkPoint 365, and the API is required if using WorkPoint 365 Express or the new Modern UI for WorkPoint. The API can also be used for integration purposes, such as inserting and/or updating entities in WorkPoint 365.

What will I consent to?

You consent that the API can access the following resources in your organization.

Sign in and read user profiles

This permission allows users to sign in to the app, and allows WorkPoint to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

This is a permission of type "Delegated". This means that the application may act on behalf of a user as the user him or herself for this particular permission.

Read directory data

This permission allows WorkPoint to read data in your company directory, such as users, groups, and apps. This permission is only used if specific WorkPoint features are used by the organization. Currently it is limited to these features:

  • WorkPoint 365 limited users
  • WorkPoint 365 audit log

This is a permission of type "Application". This means that the application itself may act for this particular permission.

Read and write items in all site collections

This permission allows WorkPoint to create, read, update, and delete documents and list items in all site collections on behalf of the signed-in user.

This is a permission of type "Delegated". This means that the application may act on behalf of a user as the user him or herself for this particular permission.

Review and remove permission

When signed up you can always review permissions of the API or remove the permissions to the organization’s directory here:

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps

2.3.2. EMM365 Web API Permissions

Where can I give consent to the EMM365 Web API?

You can give consent to the API by navigating to this link:

https://emm365webapi.azurewebsites.net/

Office 365 Global Administrator privileges are required in order to complete the consent process.

Why do I need to grant the EMM365 Web API Permissions?

The EMM365 Web API permissions are required for Email Manager 365 to function.

Note that if you do not have Email Manager 365, you do not need to grant these permissions.

Review and remove permission

When signed up you can always review permissions of the API or remove the permissions to the organization’s directory here:

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps

2.4. Azure AD-secured APIs

WorkPoint have a set of Azure AD-secured APIs which needs to be approved for Modern UI solutions to function. As such, these permissions are relevant only if your solution uses Modern UI, and they do not appear at all if this is not the case. You can read more about Azure AD-secured APIs in this article (external link).

In general, these permissions are used by the WorkPoint system to perform certain actions in SharePoint on behalf of a logged in user when using Modern UI components, such as web parts or the command bar in WorkPoint 365.

Note that these permissions appear in the SharePoint Admin Center only once the Modern UI app has been installed on a site collection.

Have more questions? Submit a request