Applications for integrating with third-party technologies
The product provides different apps which allow it to integrate with certain technologies. For example, if you need to integrate your environment with Azure Active Directory (Azure Active Directory), you may need to add one or more apps to your Azure environment to allow the product to integrate with that environment.
You can use the following diagram to understand what apps are installed in certain scenarios in an environment.
*Also installs K2 for Office 365
Below is a list of the applications that are used to integrate with Azure Active Directory (Azure Active Directory), SharePoint Online, and Exchange Online. You may not need or see many of these apps, but they are listed here for visibility and to understand how integration works.
Below is a list of required and optional applications when provisioning a K2 Five with SharePoint Online environment .
K2 application details
Microsoft is deprecating
Azure Active Directory Graph API and as of June 30th, 2020, stopped adding new features to the API. They strongly recommend
upgrading to Microsoft Graph API to access
Azure Active Directory APIs as well as APIs from other Microsoft services. Since permissions required for
Azure Active Directory Graph API differ from those for Microsoft Graph API, you will be consenting to similar permissions scopes for backward and future compatibility. The tables below list both sets of permissions for the relevant applications.
K2 for Office 365
| Permission
|
Display string
|
Description
|
Tenant Admin consent required
|
| Microsoft Graph permissions
|
| Directory.Read.All (Application) |
Read directory data |
Allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user. |
Yes |
| Directory.Read.All (Delegated) |
Read directory data |
Allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. |
Yes |
| User.Read (Delegated) |
Sign-in and read user profile |
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
No |
| Azure Active Directory Graph permissions
|
| Directory.Read.All (Application) |
Read directory data |
Read directory data* |
Yes |
| Directory.Read.All (Delegated) |
Read directory data |
Read directory data* |
Yes |
| User.Read (Delegated) |
Sign in and read user profile |
Sign in and read user profile |
No |
| Permission for SharePoint Online
|
- Read and write user profiles*
- Read and write managed metadata*
- Have full control of all site collections*
|
Yes |
* Requires Tenant/Global administrator credentials
Azure Active Directory for K2
| Permission
|
Display string
|
Description
|
Tenant Admin consent required
|
| Microsoft Graph permissions
|
| Directory.Read.All (Application) |
Read directory data |
Allows the app to read data in your organization's directory, such as users, groups, and apps, without a signed-in user. |
Yes |
| Directory.Read.All (Delegated) |
Read directory data |
Allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. |
Yes |
| User.Read (Delegated) |
Sign-in and read user profile |
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
No |
| Azure Active Directory Graph permissions
|
| Directory.Read.All (Application) |
Read directory data |
Read directory data* |
Yes |
| Directory.Read.All (Delegated) |
Read directory data |
Read directory data* |
Yes |
| User.Read (Delegated) |
Sign in and read user profile |
Sign in and read user profile |
No |
* Requires Tenant/Global administrator credentials
K2 for Azure Active Directory Login
- Optional.
- Provides authentication against Azure Active Directory when using the SmartObject OData API for consumption of SmartObject data within third-party clients such as Excel, Power BI, and Tableau.
- Authenticates Nintex Automation users when using Remote Package and Deployment (P&D) to migrate solutions from one environment to another.
| Permission
|
Display string
|
Description
|
Tenant Admin consent required
|
| Microsoft Graph permissions
|
| Directory.AccessAsUser.All (Delegated) |
Access directory as the signed-in user |
Allows the app to have the same access to information in the directory as the signed-in user. |
Yes |
| Directory.Read.All (Delegated) |
Read directory data |
Allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. |
Yes |
| User.Read (Delegated) |
Sign-in and read user profile |
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
No |
| Azure Active Directory Graph permissions
|
| Directory.Read.All (Application) |
Read directory data |
Access the directory as the signed-in user* |
Yes |
| Directory.Read.All (Delegated) |
Read directory data |
Read directory data* |
Yes |
| User.Read (Delegated) |
Sign in and read user profile |
Sign in and read user profile
|
No |
* Requires Tenant/Global administrator credentials
Azure Active Directory Management for K2
| Permission
|
Display string
|
Description
|
Tenant Admin consent required
|
| Microsoft Graph permissions
|
| Directory.ReadWrite.All (Delegated) |
Read and write directory data |
Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups or reset user passwords. |
Yes |
| Directory.ReadWrite.All (Application) |
Read and write directory data |
Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. |
Yes |
| Directory.AccessAsUser.All (Delegated) |
Access directory as the signed-in user |
Allows the app to have the same access to information in the directory as the signed-in user. |
Yes |
| Azure Active Directory Graph permissions
|
| Directory.ReadWrite.All (Application) |
Read directory data |
Read and write directory data* |
Yes |
| Directory.ReadWrite.All (Delegated) |
Read directory data |
Read and write directory data* |
Yes |
| Directory.AccessAsUser.All (Delegated) |
Sign in and read user profile |
Access the directory as the signed-in user*
|
Yes |
* Requires Tenant/Global administrator credentials
K2 for Office 365 Mobile
- Optional.
- Provides Azure Active Directory authentication for Nintex K2 Mobile apps.
| Permission
|
Display string
|
Description
|
Tenant Admin consent required
|
| Microsoft Graph permissions
|
| User.Read (Delegated) |
Sign in and read user profile |
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
No |
| User.ReadBasic.All (Delegated) |
Read all users' basic profiles
|
Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions, and photo. Also allows the app to read the full profile of the signed-in user. |
No |
| Azure Active Directory Graph permissions
|
| User.Read (Delegated) |
Sign in and read user profile |
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
No |
| User.ReadBasic.All (Delegated) |
Read all users' basic profiles
|
Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions, and photo. Also allows the app to read the full profile of the signed-in user. |
No |
K2 for Exchange Online
- Optional.
- Required for Exchange feature to be activated and gives the product the ability to integrate with Exchange Online functionality.
- Full access rights to all mailboxes
- Access mailboxes as the signed-in user via Exchange Web Services
This app is not required for SmartActions or for the server to send email.
| Permission
|
Display string
|
Description
|
Tenant Admin consent required
|
| Microsoft Graph permissions
|
| User.Read (Delegated) |
Sign in and read user profile |
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
No |
| Azure Active Directory Graph permissions
|
| User.Read (Delegated) |
Sign in and read user profile |
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
No |
K2 Five for SharePoint
| Name of Application
|
Details
|
Permissions Requested
|
Needs Tenant Admin to consent?
|
| K2 Five for SharePoint |
Required when integrating with SharePoint.
This app is included in the Nintex Automation installer as part of the AppDeployment.exe utility.
This app is available from the Office Store, but should be installed from the extracted product installer folder.
If you're using Azure Active Directory, then either the Azure Active Directory for K2 or the K2 for Office 365 app is also required. |
Not applicable, this app requires K2 for Office 365 if you use Azure Active Directory identities |
N/A |
K2 Five for SharePoint Application and Delegation Scope Requests
Below is a list of application scope requests and delegation scope requests when onboarding with K2 Five for SharePoint against a SharePoint online environment. For more information about the permission scopes in Microsoft Office 365, see Microsoft Graph Permission Reference.
SharePoint scopes only apply within site collections where the K2 Five for SharePoint app has been added.
| App |
Scope |
Request Type |
Notes |
| K2 for Office 365 |
Read directory data
(Directory.Read.All) |
Application |
Required: Allow the application to read data in your organization’s directory, such as users and groups.
|
| K2 Five for SharePoint |
Have full control of all site collections
(Sites.FullControl.All) |
Application |
Required: Allows the application to have full control of all site collections without a signed in user.
|
| Read and write user profiles (User.ReadWrite.All) |
Application |
Required: Allows the application to read and update user profiles and to read basic site info without a signed in user.
|
| Have full control of all site collections
(AllSites.FullControl)
|
Delegation (on behalf of) |
Required: Allows the application to have full control of all site collections on behalf of the signed-in user. SharePoint honors security so if a user does not have permissions to create, edit, delete, or access a SharePoint site, they cannot do that through the product. |
| Read and write user profiles (User.ReadWrite.All)
|
Delegation (on behalf of) |
Required: Allows the application to read and update user profiles and to read basic site info on behalf of the signed-in user.
This permission is not used. |
| Read and write items in all site collections(AllSites.Write)
|
Delegation (on behalf of) |
Required: Allows the application to create, read, update, and delete documents and list items in all site collections without a signed in user.
This permission is legacy and not used. |
| Read and write managed metadata
(TermStore.ReadWrite.All) |
Delegation (on behalf of) |
Required: Allows the application to read, create, update, and delete managed metadata and to read basic site info on behalf of the signed-in user.
The write permission is not used. |
K2 Five for Azure Active Directory Application and Delegation Scope Requests
Below is a list of application scope requests and delegation scope requests when onboarding K2 Five with Azure Active Directory.
| App |
Scope |
Request Type |
Notes |
| Azure Active Directory for K2 (non-SharePoint scenarios) |
Read directory data
(Directory.Read.All)
|
Application |
Required: Allow the application to read data in your organization’s directory, such as users and groups.
|
| Azure Active Directory for K2 |
Enable sign-on and read users’ profiles (User.Read)
|
Delegation (on behalf of) |
Required: Allow users to sign into the application with their organizational accounts and let the application read the profiles of signed-in users, such as their email address and contact information.
|
| Access your organization’s directory
(Directory.AccessAsUser.All) |
Delegation (on behalf of) |
Required: Allow the application to access your organization’s directory on behalf of the signed-in user.
This permission is legacy and not used. |
| Azure Active Directory Management for K2 |
Write directory data (Directory.Write.All) |
Application |
Optional: Allows the application to read and write data in your organization's directory. Necessary if you use the Azure Active Directory user and group management wizards and/or SmartObjects. For more information and configuration information, see Azure Active Directory Management (Read/Write to Azure Active Directory)Account Management |