Applications for integrating with third-party technologies
Microsoft Azure Active Directory is now Microsoft Entra ID
The product provides different apps which allow it to integrate with certain technologies. For example, if you need to integrate your environment with Azure Active Directory (Azure Active Directory), you may need to add one or more apps to your Azure environment to allow the product to integrate with that environment.
You can use the following diagram to understand what apps are installed in certain scenarios in an environment.
Below is a list of the applications that are used to integrate with Azure Active Directory (Azure Active Directory), SharePoint Online, and Exchange Online. You may not need or see many of these apps, but they are listed here for visibility and to understand how integration works.
Below is a list of required and optional applications when provisioning a K2
K2 application details
Microsoft is deprecating Azure Active Directory Graph API and as of June 30th, 2020, stopped adding new features to the API. They strongly recommend upgrading to Microsoft Graph API to access Azure Active Directory APIs as well as APIs from other Microsoft services. Since permissions required for Azure Active Directory Graph API differ from those for Microsoft Graph API, you will be consenting to similar permissions scopes for backward and future compatibility. The tables below list both sets of permissions for the relevant applications.
K2 for Office 365
- Required when integrating with SharePoint Online.If this app is used, then the Azure Active Directory for K2 app is not required.
- Provides integration with Azure Active Directory and SharePoint, such as Azure Active Directory Identity Caching, reading Azure Active Directory user information, and reading and writing to SharePoint Online. If used in the product, consent is granted during the provisioning process.
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| Directory.Read.All (Application) | Read directory data | Allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user. | Yes |
| Directory.Read.All (Delegated) | Read directory data | Allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. | Yes |
| User.Read (Delegated) | Sign-in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| Azure Active Directory Graph permissions | |||
| Directory.Read.All (Application) | Read directory data | Read directory data* | Yes |
| Directory.Read.All (Delegated) | Read directory data | Read directory data* | Yes |
| User.Read (Delegated) | Sign in and read user profile | Sign in and read user profile | No |
| Permission for SharePoint Online | |||
|
Yes | ||
* Requires Tenant/Global administrator credentials
Azure Active Directory for K2
- Required when integrating with Azure Active Directory but not SharePoint Online. If this app is used, then the K2 for Office 365 app is not required.
- Provides integration with Azure Active Directory, such as reading and caching Azure Active Directory user information.
If used in the product , consent is granted during the provisioning process.
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| Directory.Read.All (Application) | Read directory data | Allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user. | Yes |
| Directory.Read.All (Delegated) | Read directory data | Allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. | Yes |
| User.Read (Delegated) | Sign-in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| Azure Active Directory Graph permissions | |||
| Directory.Read.All (Application) | Read directory data | Read directory data* | Yes |
| Directory.Read.All (Delegated) | Read directory data | Read directory data* | Yes |
| User.Read (Delegated) | Sign in and read user profile | Sign in and read user profile | No |
* Requires Tenant/Global administrator credentials
K2 for Azure Active Directory Login
- Optional.
- Provides authentication against Azure Active Directory when using the SmartObject OData API for consumption of SmartObject data within third-party clients such as Excel, Power BI, and Tableau.
- Authenticates
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| Directory.AccessAsUser.All (Delegated) | Access directory as the signed-in user | Allows the app to have the same access to information in the directory as the signed-in user. | Yes |
| Directory.Read.All (Delegated) | Read directory data | Allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. | Yes |
| User.Read (Delegated) | Sign-in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| Azure Active Directory Graph permissions | |||
| Directory.Read.All (Application) | Read directory data | Access the directory as the signed-in user* | Yes |
| Directory.Read.All (Delegated) | Read directory data | Read directory data* | Yes |
| User.Read (Delegated) | Sign in and read user profile |
Sign in and read user profile |
No |
* Requires Tenant/Global administrator credentials
Azure Active Directory Management for K2
- Optional.
- This app allows you to create workflows that can create, update, and delete Azure Active Directory user information. This app is used only by the Azure Active Directory Management (Read/Write to Azure Active Directory) service type.
For information on how to consent to the Azure Active Directory Management for K2 app and to update your broker to use a different OAuth resource, see Azure Active Directory Management (Read/Write to Azure Active Directory).
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| Directory.ReadWrite.All (Delegated) | Read and write directory data | Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups or reset user passwords. | Yes |
| Directory.ReadWrite.All (Application) | Read and write directory data | Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. | Yes |
| Directory.AccessAsUser.All (Delegated) | Access directory as the signed-in user | Allows the app to have the same access to information in the directory as the signed-in user. | Yes |
| Azure Active Directory Graph permissions | |||
| Directory.ReadWrite.All (Application) | Read directory data | Read and write directory data* | Yes |
| Directory.ReadWrite.All (Delegated) | Read directory data | Read and write directory data* | Yes |
| Directory.AccessAsUser.All (Delegated) | Sign in and read user profile |
Access the directory as the signed-in user* |
Yes |
* Requires Tenant/Global administrator credentials
K2 for Office 365 Mobile
- Optional.
- Provides Azure Active Directory authentication for Nintex K2 Mobile apps.
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| User.Read (Delegated) | Sign in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| User.ReadBasic.All (Delegated) |
Read all users' basic profiles |
Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions, and photo. Also allows the app to read the full profile of the signed-in user. | No |
| Azure Active Directory Graph permissions | |||
| User.Read (Delegated) | Sign in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| User.ReadBasic.All (Delegated) |
Read all users' basic profiles |
Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions, and photo. Also allows the app to read the full profile of the signed-in user. | No |
K2 for Exchange Online
- Optional.
- Required for Exchange feature to be activated and gives the product the ability to integrate with Exchange Online functionality.
- Full access rights to all mailboxes
- Access mailboxes as the signed-in user via Exchange Web Services
This app is not required for SmartActions or for the server to send email.
| Permission | Display string | Description | Tenant Admin consent required |
|---|---|---|---|
| Microsoft Graph permissions | |||
| User.Read (Delegated) | Sign in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
| Azure Active Directory Graph permissions | |||
| User.Read (Delegated) | Sign in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No |
K2 Five for SharePoint
| Name of Application | Details | Permissions Requested | Needs Tenant Admin to consent? |
|---|---|---|---|
| K2 Five for SharePoint | Required when integrating with SharePoint. This app is included in the Nintex Automation installer as part of the AppDeployment.exe utility. This app is available from the Office Store, but should be installed from the extracted product installer folder. If you're using Azure Active Directory, then either the Azure Active Directory for K2 or the K2 for Office 365 app is also required. |
Not applicable, this app requires K2 for Office 365 if you use Azure Active Directory identities | N/A |
K2 Five for SharePoint Application and Delegation Scope Requests
Below is a list of application scope requests and delegation scope requests when onboarding with K2
SharePoint scopes only apply within site collections where the K2 Five for SharePoint app has been added.
| App | Scope | Request Type | Notes |
|---|---|---|---|
| K2 for Office 365 | Read directory data (Directory.Read.All) | Application | Required: Allow the application to read data in your organization’s directory, such as users and groups. |
| K2 |
Have full control of all site collections (Sites.FullControl.All) | Application | Required: Allows the application to have full control of all site collections without a signed in user. |
| Read and write user profiles (User.ReadWrite.All) | Application | Required: Allows the application to read and update user profiles and to read basic site info without a signed in user. | |
| Have full control of all site collections (AllSites.FullControl) | Delegation (on behalf of) | Required: Allows the application to have full control of all site collections on behalf of the signed-in user. SharePoint honors security so if a user does not have permissions to create, edit, delete, or access a SharePoint site, they cannot do that through the product. | |
| Read and write user profiles (User.ReadWrite.All) | Delegation (on behalf of) | Required: Allows the application to read and update user profiles and to read basic site info on behalf of the signed-in user. This permission is not used. | |
| Read and write items in all site collections(AllSites.Write) | Delegation (on behalf of) | Required: Allows the application to create, read, update, and delete documents and list items in all site collections without a signed in user. This permission is legacy and not used. | |
| Read and write managed metadata (TermStore.ReadWrite.All) | Delegation (on behalf of) | Required: Allows the application to read, create, update, and delete managed metadata and to read basic site info on behalf of the signed-in user. The write permission is not used. |
K2 Five for Azure Active Directory Application and Delegation Scope Requests
Below is a list of application scope requests and delegation scope requests when onboarding K2
| App | Scope | Request Type | Notes |
|---|---|---|---|
| Azure Active Directory for K2 (non-SharePoint scenarios) | Read directory data (Directory.Read.All) | Application | Required: Allow the application to read data in your organization’s directory, such as users and groups. |
| Azure Active Directory for K2 | Enable sign-on and read users’ profiles (User.Read) | Delegation (on behalf of) | Required: Allow users to sign into the application with their organizational accounts and let the application read the profiles of signed-in users, such as their email address and contact information. |
| Access your organization’s directory (Directory.AccessAsUser.All) | Delegation (on behalf of) | Required: Allow the application to access your organization’s directory on behalf of the signed-in user. This permission is legacy and not used. | |
| Azure Active Directory Management for K2 | Write directory data (Directory.Write.All) | Application | Optional: Allows the application to read and write data in your organization's directory. Necessary if you use the Azure Active Directory user and group management wizards and/or SmartObjects. For more information and configuration information, see Azure Active Directory Management (Read/Write to Azure Active Directory)Account Management |