This article relates to our product Cloud Drive Mapper.
Microsoft now recommend all third party software integrations to use the AAD Enterprise Application system. This provides Microsoft customers with much greater visibility and control over how applications and add-ons interact with their Microsoft 365 tenancy.
However, the permissions themselves are not always brilliantly explained in the AAD Admin Portal. They tend to be quite technical and jargony, and don't necessarily provide the necessary understanding of the implications the permissions have on your tenancy data.
Azure user delegated permissions
The most important point we can make about the AAD Enterprise App permissions used by Cloud Drive Mapper is that they are 'user delegated' permissions.
Essentially what this means is that neither our business, our staff, nor our cloud service have any access whatsoever to your tenancy data.
Cloud Drive Mapper is a desktop client that, with its delegated permissions, can act on behalf of the signed in user.
This means that CDM can only do what the signed-in user would be able to do anyway manually. So CDM is not granting the user any enhanced privileges, and it is not able to act outside of the control or active session of the signed-in user.
Cloud Drive Mapper provides a connection, secured by the user's MSAL-authenticated session, between the user's Windows desktop/VDI session and the user's Microsoft 365 account (which includes their OneDrive, plus any SPO/Teams Sites the user has permissions to access). This session and all traffic within it is encrypted with Microsoft's own technology - MSAL is also used by the Office apps themselves.
The best way of thinking about Cloud Drive Mapper is that it is essentially a secure web browser, but for files. No data can leave the session between the user's local machine and the user's Microsoft 365 account.
Advanced mode permissions (recommended)
| Permission | What it is and why we need it |
|---|---|
Offline_access | This is needed to reduce the number of authentications between sessions. |
Openid | The ability for the user to sign in and for CDM to validate the user session. |
profile | Ability to get claims back and the user's OneDrive URL. |
Sites.Read.All | This is used for validating that the user has permissions to the drive we are about to map. This does not give permissions to all sites in the tenancy, instead all sites the user already has access to. This permissions allows CDM to confirm the drive you want to map is actually accessible by the user to avoid mapping a drive that will not work. |
Team.ReadBasic.All | We need this to know which MS Teams a user is a member of, and to retrieve the 'channels' for use in Teams Converge drives. This permission only returns the Teams the user already has access to and does not extend the permissions from the user in any way. |
File.ReadWrite | This is the lowest level of permissions we can use to write the cache data to the users OneDrive Profile. This allows a user to move around and for the pre-enumerated list of converged drives for much faster drive mappings on a new machine or when local profile is trashed between login sessions. In addition this allow the users own managed drive to follow them from different machines. |
Group.Read.All | This is used by Converge to be able to enumerate the modern SharePoint sites much more quickly and efficiently than the single static drive mappings. This only returns groups the user is either an owner, member of either directly or indirectly. |
Standard/basic mode permissions
| Permission | What it is and why we need it |
|---|---|
| Files.Read | Ability to get the users OneDrive URL |
Offline_access | This is needed to reduce the number of authentications between sessions. |
Openid | The ability for the user to sign in and for CDM to validate the user session. |
profile | Ability to get claims back and the user's OneDrive URL. |
Sites.Read.All | This is used for validating that the user has permissions to the drive we are about to map. This does not give permissions to all sites in the tenancy, instead all sites the user already has access to. This permissions allows CDM to confirm the drive you want to map is actually accessible by the user to avoid mapping a drive that will not work. |
If you have any further questions about Cloud Drive Mapper's permissions please feel free to contact support@iamcloud.com