Applications for integrating with third-party technologies
The product provides different apps which allow it to integrate with certain technologies. For example, if you need to integrate your environment with Azure Active Directory (AAD), you may need to add one or more apps to your Azure environment to allow the product to integrate with that environment.
You can use the following diagram to understand what apps are installed in certain scenarios in an environment.
Below is a list of the applications that are used to integrate with Azure Active Directory (AAD), SharePoint Online, and Exchange Online. You may not need or see many of these apps, but they are listed here for visibility and to understand how integration works.
Below is a list of required and optional applications when provisioning a K2
K2 application details
Microsoft is deprecating Azure AD Graph API and as of June 30th, 2020, stopped adding new features to the API. They strongly recommend upgrading to Microsoft Graph API to access Azure AD APIs as well as APIs from other Microsoft services. Since permissions required for Azure AD Graph API differ from those for Microsoft Graph API, you will be consenting to similar permissions scopes for backward and future compatibility. The tables below list both sets of permissions for the relevant applications.
K2 for Office 365
- Required when integrating with SharePoint Online.If this app is used, then the Azure Active Directory for K2 app is not required.
- Provides integration with AAD and SharePoint, such as AAD Identity Caching, reading AAD user information, and reading and writing to SharePoint Online. If used in the product, consent is granted during the provisioning process.
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| Directory.Read.All (Application) | Read directory data | Allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user. | Yes |
| Directory.Read.All (Delegated) | Read directory data | Allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. | Yes |
| User.Read (Delegated) | Sign-in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| Azure AD Graph permissions | |||
| Directory.Read.All (Application) | Read directory data | Read directory data* | Yes |
| Directory.Read.All (Delegated) | Read directory data | Read directory data* | Yes |
| User.Read (Delegated) | Sign in and read user profile | Sign in and read user profile | No |
| Permission for SharePoint Online | |||
|
Yes | ||
* Requires Tenant/Global administrator credentials
Azure Active Directory for K2
- Required when integrating with Azure Active Directory but not SharePoint Online. If this app is used, then the K2 for Office 365 app is not required.
- Provides integration with Azure Active Directory, such as reading and caching AAD user information.
If used in the product , consent is granted during the provisioning process.
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| Directory.Read.All (Application) | Read directory data | Allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user. | Yes |
| Directory.Read.All (Delegated) | Read directory data | Allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. | Yes |
| User.Read (Delegated) | Sign-in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| Azure AD Graph permissions | |||
| Directory.Read.All (Application) | Read directory data | Read directory data* | Yes |
| Directory.Read.All (Delegated) | Read directory data | Read directory data* | Yes |
| User.Read (Delegated) | Sign in and read user profile | Sign in and read user profile | No |
* Requires Tenant/Global administrator credentials
K2 for AAD Login
- Optional.
- Provides authentication against AAD when using the SmartObject OData API for consumption of SmartObject data within third-party clients such as Excel, Power BI, and Tableau.
- Authenticates
- Required for K2 Cloud when Package and Deployment or OData API access is necessary.
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| Directory.AccessAsUser.All (Delegated) | Access directory as the signed-in user | Allows the app to have the same access to information in the directory as the signed-in user. | Yes |
| Directory.Read.All (Delegated) | Read directory data | Allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. | Yes |
| User.Read (Delegated) | Sign-in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| Azure AD Graph permissions | |||
| Directory.Read.All (Application) | Read directory data | Access the directory as the signed-in user* | Yes |
| Directory.Read.All (Delegated) | Read directory data | Read directory data* | Yes |
| User.Read (Delegated) | Sign in and read user profile |
Sign in and read user profile |
No |
* Requires Tenant/Global administrator credentials
Azure Active Directory Management for K2
- Optional.
- This app allows you to create workflows that can create, update, and delete AAD user information. This app is used only by the Azure Active Directory Management (Read/Write to AAD) service type.
For information on how to consent to the Azure Active Directory Management for K2 app and to update your broker to use a different OAuth resource, see Azure Active Directory Management (Read/Write to AAD).
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| Directory.ReadWrite.All (Delegated) | Read and write directory data | Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups or reset user passwords. | Yes |
| Directory.ReadWrite.All (Application) | Read and write directory data | Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. | Yes |
| Directory.AccessAsUser.All (Delegated) | Access directory as the signed-in user | Allows the app to have the same access to information in the directory as the signed-in user. | Yes |
| Azure AD Graph permissions | |||
| Directory.ReadWrite.All (Application) | Read directory data | Read and write directory data* | Yes |
| Directory.ReadWrite.All (Delegated) | Read directory data | Read and write directory data* | Yes |
| Directory.AccessAsUser.All (Delegated) | Sign in and read user profile |
Access the directory as the signed-in user* |
Yes |
* Requires Tenant/Global administrator credentials
K2 for Office 365 Mobile
- Optional.
- Provides AAD authentication for Nintex K2 Mobile apps.
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| User.Read (Delegated) | Sign in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| User.ReadBasic.All (Delegated) |
Read all users' basic profiles |
Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions, and photo. Also allows the app to read the full profile of the signed-in user. | No |
| Azure AD Graph permissions | |||
| User.Read (Delegated) | Sign in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| User.ReadBasic.All (Delegated) |
Read all users' basic profiles |
Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions, and photo. Also allows the app to read the full profile of the signed-in user. | No |
K2 for Exchange Online
- Optional.
- Required for Exchange feature to be activated and gives the product the ability to integrate with Exchange Online functionality.
- Full access rights to all mailboxes
- Access mailboxes as the signed-in user via Exchange Web Services
This app is not required for SmartActions or for the server to send email.
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| User.Read (Delegated) | Sign in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| Azure AD Graph permissions | |||
| User.Read (Delegated) | Sign in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
K2 Cloud for SharePoint (Provider-hosted SharePoint Add-In)
| Name of Application | Details | Permissions Requested | Needs Tenant Admin to consent? |
|---|---|---|---|
| K2 Cloud for SharePoint (Provider-hosted SharePoint Add-In) | Required when integrating with SharePoint Online. Provides integration with SharePoint Online. This app is provided for download and installed into your SharePoint Online tenant during the K2 Cloud provisioning process. |
Not applicable, requires either K2 for Office 365 or K2 for Azure Active Directory | N/A |
K2 Cloud for SharePoint Application and Delegation Scope Requests
Below is a list of application scope requests and delegation scope requests when onboarding with K2
SharePoint scopes only apply within site collections where the K2 Cloud for SharePoint app has been added.
| App | Scope | Request Type | Notes |
|---|---|---|---|
| K2 for Office 365 | Read directory data (Directory.Read.All) | Application | Required: Allow the application to read data in your organization’s directory, such as users and groups. |
| K2 |
Have full control of all site collections (Sites.FullControl.All) | Application | Required: Allows the application to have full control of all site collections without a signed in user. |
| Read and write user profiles (User.ReadWrite.All) | Application | Required: Allows the application to read and update user profiles and to read basic site info without a signed in user. | |
| Have full control of all site collections (AllSites.FullControl) | Delegation (on behalf of) | Required: Allows the application to have full control of all site collections on behalf of the signed-in user. SharePoint honors security so if a user does not have permissions to create, edit, delete, or access a SharePoint site, they cannot do that through the product. | |
| Read and write user profiles (User.ReadWrite.All) | Delegation (on behalf of) | Required: Allows the application to read and update user profiles and to read basic site info on behalf of the signed-in user. This permission is not used. | |
| Read and write items in all site collections(AllSites.Write) | Delegation (on behalf of) | Required: Allows the application to create, read, update, and delete documents and list items in all site collections without a signed in user. This permission is legacy and not used. | |
| Read and write managed metadata (TermStore.ReadWrite.All) | Delegation (on behalf of) | Required: Allows the application to read, create, update, and delete managed metadata and to read basic site info on behalf of the signed-in user. The write permission is not used. |
K2 Cloud for AAD Application and Delegation Scope Requests
Below is a list of application scope requests and delegation scope requests when onboarding K2
| App | Scope | Request Type | Notes |
|---|---|---|---|
| Azure Active Directory for K2 (non-SharePoint scenarios) | Read directory data (Directory.Read.All) | Application | Required: Allow the application to read data in your organization’s directory, such as users and groups. |
| Azure Active Directory for K2 | Enable sign-on and read users’ profiles (User.Read) | Delegation (on behalf of) | Required: Allow users to sign into the application with their organizational accounts and let the application read the profiles of signed-in users, such as their email address and contact information. |
| Access your organization’s directory (Directory.AccessAsUser.All) | Delegation (on behalf of) | Required: Allow the application to access your organization’s directory on behalf of the signed-in user. This permission is legacy and not used. | |
| Azure Active Directory Management for K2 | Write directory data (Directory.Write.All) | Application | Optional: Allows the application to read and write data in your organization's directory. Necessary if you use the AAD user and group management wizards and/or SmartObjects. For more information and configuration information, see Azure Active Directory Management (Read/Write to AAD) |