Summary


It is advisable (while not absolutely critical) to first run Cloud Drive Mapper as a Global Administrator.


From Cloud Drive Mapper v.2.2.3.18 onwards, IAM Cloud has introduced a new authentication flow methodology in-line with Microsoft best practices. This means that during the initial first run of Cloud Drive Mapper there is an application that gets installed into AAD (Azure Active Directory) Enterprise Applications.


Registering the application with your Azure Active Directory puts the security controls for what applications can access with you. IAM Cloud only has basic level permissions and does not have any more access than is absolutely necessary. Registration with AzureAD allows Cloud Drive Mapper to access the information using delegated authentication from the user, meaning your application always stays secure preserving conditional access and MFA you may have configured within Azure or any other Identity Provider.


Until a Global Administrator runs Cloud Drive Mapper, Admin Delegated rights will not be authorised, and each subsequent user will be prompted once for permissions (see below).


Should Cloud Drive Mapper be first run by a Global Administrator, then Cloud Drive Mapper will ask the admin to delegate rights (for the Azure app) for the whole organisation, this means each subsequent user will NOT then be further prompted for application permission rights and will instead follow a simple logon process.


For organisations who have no access to Global Admin settings (perhaps because they are administered by a different team or even a third party IT company), there is no need to worry. The Global settings can be administered at a later date, but in the short term, while in the early testing stages, that each user will be asked to grant access permissions on a user by user basis. 



N/B :- 


User permissions within SharePoint


Another new addition ( v2.2.3.18 onwards ) is that a user should have at least a minimum read permission to SharePoint root, normally achieved via the Visitors group.


For those organisations with advanced firewall policies in place it would be advisable to allow the following as exceptions:-


cdm.iamcloud.net

fed.federate365.com



Granting Permissions to Cloud Drive Mapper


Step 1 - Signing into Cloud Drive Mapper

Start Cloud Drive Mapper and authenticate where prompted, you should now see a dialogue screen as per images below:-



NON Global Administrator initial logon


                This dialogue is permission related for the individual user.



N/B if a user is met with the following screen, then application settings have been blocked by the Administration team and their help is required.

This article may help.

https://blogs.msdn.microsoft.com/aaddevsup/2018/05/08/receiving-aadsts90094-the-grant-requires-admin-permission





Global Administrator initial logon


                Note the extra "Consent on behalf of your organisation"

               




As a global administrator you will be asked to Accept Delegation permissions for the whole organisation, meaning subsequent users will receive a cleaner logon flow and will not be further prompted for grant access rights.

To further this flow see step 3



Step 2 - Azure Admin Consent Screen


Once the initial logon is done a screen such as shown below will appear, this should show success and can be closed.



Step 3 - Azure Enterprise Applications 

As a Global Administrator you should now be able to navigate to the following location :-

Azure Active Directory Admin Center > Dashboard > Enterprise Applications


You should now be able to see the installed Cloud Drive Mapper (V2) application




Once here, click on the application and click:-  Permissions


You should now see the delegated permissions as per image below.


(However, if a NON Global Administrator was the first person to use CDM, then these permissions will not be populated and each subsequent user will be asked to consent, to avoid this a Global Admin can use the "Grant admin consent" button to populate the permissions seen below, this will then stop users form seeing a consent prompt. )





If at anytime you need any assistance then please contact our support desk who will be happy to help.


IAM Cloud's Technical Support Team. 

Support Portal: http://support.iamcloud.com

Email us: support@iamcloud.com

Phone (UK): +44 118 324 0000

Phone (US): +1 914 495 1298


Any feedback on this article please contact customersuccess@iamcloud.com