Applications for integrating with third-party technologies

K2 provides different apps which allow K2 to integrate with certain technologies. For example, if you need to integrate your K2 environment with Azure Active Directory (AAD), you may need to add one or more apps to your Azure environment to allow K2 to integrate with that environment.

You can use the following diagram to understand what apps are installed in certain scenarios in a K2 environment.


*Also installs K2 for Office 365

Below is a list of the applications that are used to integrate with Azure Active Directory (AAD), SharePoint Online, and Exchange Online. You may not need or see many of these apps, but they are listed here for visibility and to understand how K2 integration works.

Below is a list of required and optional applications when provisioning a K2 Five with SharePoint Online environment .

K2 application details

Microsoft is deprecating Azure AD Graph API and as of June 30th, 2020, stopped adding new features to the API. They strongly recommend upgrading to Microsoft Graph API to access Azure AD APIs as well as APIs from other Microsoft services. Since permissions required for Azure AD Graph API differ from those for Microsoft Graph API, you will be consenting to similar permissions scopes for backward and future compatibility. The tables below list both sets of permissions for the relevant K2 applications.

K2 Five for SharePoint Application and Delegation Scope Requests

Below is a list of application scope requests and delegation scope requests when onboarding with K2 Five for SharePoint against a SharePoint online environment. For more information about the permission scopes in Microsoft Office 365, see Microsoft Graph Permission Reference.

SharePoint scopes only apply within site collections where the K2 Five for SharePoint app has been added.
App Scope Request Type Notes
K2 for Office 365 Read directory data (Directory.Read.All) Application Required: Allow the application to read data in your organization’s directory, such as users and groups.
K2 Five for SharePoint Have full control of all site collections (Sites.FullControl.All) Application Required: Allows the application to have full control of all site collections without a signed in user.
Read and write user profiles (User.ReadWrite.All) Application Required: Allows the application to read and update user profiles and to read basic site info without a signed in user.
Have full control of all site collections (AllSites.FullControl) Delegation (on behalf of) Required: Allows the application to have full control of all site collections on behalf of the signed-in user. SharePoint honors security so if a user does not have permissions to create, edit, delete, or access a SharePoint site, they cannot do that through K2.
Read and write user profiles (User.ReadWrite.All) Delegation (on behalf of) Required: Allows the application to read and update user profiles and to read basic site info on behalf of the signed-in user. This permission is not used.
Read and write items in all site collections(AllSites.Write) Delegation (on behalf of) Required: Allows the application to create, read, update, and delete documents and list items in all site collections without a signed in user. This permission is legacy and not used.
Read and write managed metadata (TermStore.ReadWrite.All) Delegation (on behalf of) Required: Allows the application to read, create, update, and delete managed metadata and to read basic site info on behalf of the signed-in user. The write permission is not used.

K2 Five for AAD Application and Delegation Scope Requests

Below is a list of application scope requests and delegation scope requests when onboarding K2 Five with AAD.

App Scope Request Type Notes
Azure Active Directory for K2 (non-SharePoint scenarios) Read directory data (Directory.Read.All) Application Required: Allow the application to read data in your organization’s directory, such as users and groups.
Azure Active Directory for K2 Enable sign-on and read users’ profiles (User.Read) Delegation (on behalf of) Required: Allow users to sign into the application with their organizational accounts and let the application read the profiles of signed-in users, such as their email address and contact information.
Access your organization’s directory (Directory.AccessAsUser.All) Delegation (on behalf of) Required: Allow the application to access your organization’s directory on behalf of the signed-in user. This permission is legacy and not used.
Azure Active Directory Management for K2 Write directory data (Directory.Write.All) Application Optional: Allows the application to read and write data in your organization's directory. Necessary if you use the AAD user and group management wizards and/or SmartObjects. For more information and configuration information, see Azure Active Directory Management (Read/Write to AAD)Account Management