Granting PrinterOn permission to access Azure AD data
To permit PrinterOn to access the data it needs from Azure AD, you need to configure a number of permissions in Azure AD. In Microsoft v2 Auth, these permissions are associated with the Microsoft Graph API. The Microsoft Graph API lets PrinterOn synchronize with the Azure AD data.
Note: PrinterOn only needs access to a very limited amount of Azure AD data. To keep your data secure, you should ensure that you only grant the necessary permissions, described in the following task.
📘 Instructions
To configure permissions in Azure AD:
In the App Registrations panel, locate and click the PrinterOn Enterprise app. The PrinterOn Enterprise app overview appears.
In the navigation pane, click API Permissions. The API permissions panel appears.
From the list of permissions, select Microsoft Graph. The Request API permissions panel appears. The Request API Permissions panel contains two tabs which allow you to set different levels of permissions:
Delegated Permissions: These permissions allow the PrinterOn service to access Azure AD on behalf of the user (for example, to submit authentication credentials on behalf of the user).
Application Permissions: These permissions allow the PrinterOn service to access Azure AD without a user being signed in (for example, to retrieve data).
In the Delegated Permissions tab, enable the following permissions:
Permission | Description |
|---|---|
Allows the PrinterOn service to read your users' primary email address. | |
offline_access | Allows the PrinterOn service to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
openid | Allows users to sign in to the PrinterOn service with their work or school accounts and allows the app to see basic user profile information. |
profile | Allows the PrinterOn service to see your users' basic profile (name, picture, user name). |
Directory > Directory Read All | Allows the PrinterOn service to read data in your organization's directory, such as users, groups and apps. |
Users > Users Read All | Allows the PrinterOn service to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
Click the Application Permissions tab.
In the Application Permissions tab, enable the following permission:
Permission | Description |
|---|---|
Directory > Directory Read All | Allows the PrinterOn service to read data in your organization's directory, such as users, groups and apps. |
Click Update Permissions. The Request API Permissions Panel closes and returns you to the API Permissions Panel.
In the API Permissions Panel, click Grant Admin Consent to allow the PrinterOn service to access Azure AD without requiring user consent.
You can now retrieve the key Azure endpoints and application information so it can be added to PrinterOn’s Configuration Manager, enabling the PrinterOn service to successfully communicate with Azure AD.