Applications for integrating with third-party technologies

Microsoft Azure Active Directory is now Microsoft Entra ID

The product provides different apps which allow it to integrate with certain technologies. For example, if you need to integrate your environment with Azure Active Directory (AAD), you may need to add one or more apps to your Azure environment to allow the product to integrate with that environment.

You can use the following diagram to understand what apps are installed in certain scenarios in an environment.

Below is a list of the applications that are used to integrate with Azure Active Directory (AAD), SharePoint Online, and Exchange Online. You may not need or see many of these apps, but they are listed here for visibility and to understand how integration works.

Below is a list of required and optional applications when provisioning a K2 Cloud with SharePoint Online environment .

K2 application details

Microsoft is deprecating Azure AD Graph API and as of June 30th, 2020, stopped adding new features to the API. They strongly recommend upgrading to Microsoft Graph API to access Azure AD APIs as well as APIs from other Microsoft services. Since permissions required for Azure AD Graph API differ from those for Microsoft Graph API, you will be consenting to similar permissions scopes for backward and future compatibility. The tables below list both sets of permissions for the relevant applications.

K2 Cloud for SharePoint Application and Delegation Scope Requests

Below is a list of application scope requests and delegation scope requests when onboarding with K2 Cloud for SharePoint against a SharePoint online environment. For more information about the permission scopes in Microsoft Office 365, see Microsoft Graph Permission Reference.

SharePoint scopes only apply within site collections where the K2 Cloud for SharePoint app has been added.
App Scope Request Type Notes
K2 for Office 365 Read directory data (Directory.Read.All) Application Required: Allow the application to read data in your organization’s directory, such as users and groups.
K2 Cloud for SharePoint Have full control of all site collections (Sites.FullControl.All) Application Required: Allows the application to have full control of all site collections without a signed in user.
Read and write user profiles (User.ReadWrite.All) Application Required: Allows the application to read and update user profiles and to read basic site info without a signed in user.
Have full control of all site collections (AllSites.FullControl) Delegation (on behalf of) Required: Allows the application to have full control of all site collections on behalf of the signed-in user. SharePoint honors security so if a user does not have permissions to create, edit, delete, or access a SharePoint site, they cannot do that through the product.
Read and write user profiles (User.ReadWrite.All) Delegation (on behalf of) Required: Allows the application to read and update user profiles and to read basic site info on behalf of the signed-in user. This permission is not used.
Read and write items in all site collections(AllSites.Write) Delegation (on behalf of) Required: Allows the application to create, read, update, and delete documents and list items in all site collections without a signed in user. This permission is legacy and not used.
Read and write managed metadata (TermStore.ReadWrite.All) Delegation (on behalf of) Required: Allows the application to read, create, update, and delete managed metadata and to read basic site info on behalf of the signed-in user. The write permission is not used.

K2 Cloud for AAD Application and Delegation Scope Requests

Below is a list of application scope requests and delegation scope requests when onboarding K2 Cloud with AAD.

App Scope Request Type Notes
Azure Active Directory for K2 (non-SharePoint scenarios) Read directory data (Directory.Read.All) Application Required: Allow the application to read data in your organization’s directory, such as users and groups.
Azure Active Directory for K2 Enable sign-on and read users’ profiles (User.Read) Delegation (on behalf of) Required: Allow users to sign into the application with their organizational accounts and let the application read the profiles of signed-in users, such as their email address and contact information.
Access your organization’s directory (Directory.AccessAsUser.All) Delegation (on behalf of) Required: Allow the application to access your organization’s directory on behalf of the signed-in user. This permission is legacy and not used.
Azure Active Directory Management for K2 Write directory data (Directory.Write.All) Application Optional: Allows the application to read and write data in your organization's directory. Necessary if you use the AAD user and group management wizards and/or SmartObjects. For more information and configuration information, see Azure Active Directory Management (Read/Write to AAD)