It is advisable (while not absolutely critical) to first run Cloud Drive Mapper as a Global Administrator.
From Cloud Drive Mapper v.126.96.36.199 onwards, IAM Cloud has introduced a new authentication flow methodology in-line with Microsoft best practices. This means that during the initial first run of Cloud Drive Mapper there is an application that gets installed into AAD (Azure Active Directory) Enterprise Applications.
Registering the application with your Azure Active Directory puts the security controls for what applications can access with you. IAM Cloud only has basic level permissions and does not have any more access than is absolutely necessary. Registration with AzureAD allows Cloud Drive Mapper to access the information using delegated authentication from the user, meaning your application always stays secure preserving conditional access and MFA you may have configured within Azure or any other Identity Provider.
Until a Global Administrator runs Cloud Drive Mapper, Admin Delegated rights will not be authorised, and each subsequent user will be prompted once for permissions (see below).
Should Cloud Drive Mapper be first run by a Global Administrator, then Cloud Drive Mapper will ask the admin to delegate rights (for the Azure app) for the whole organisation, this means each subsequent user will NOT then be further prompted for application permission rights and will instead follow a simple logon process.
For organisations who have no access to Global Admin settings (perhaps because they are administered by a different team or even a third party IT company), there is no need to worry. The Global settings can be administered at a later date, but in the short term, while in the early testing stages, that each user will be asked to grant access permissions on a user by user basis.
User permissions within SharePoint
Another new addition ( v188.8.131.52 onwards ) is that a user should have at least a minimum read permission to SharePoint root, normally achieved via the Visitors group.
For those organisations with advanced firewall policies in place it would be advisable to allow the following as exceptions:-
Granting Permissions to Cloud Drive Mapper
Step 1 - Signing into Cloud Drive Mapper
Start Cloud Drive Mapper and authenticate where prompted, you should now see a dialogue screen as per images below:-
NON Global Administrator initial logon
This dialogue is permission related for the individual user.
N/B if a user is met with the following screen, then application settings have been blocked by the Administration team and their help is required.
This article may help.
Global Administrator initial logon
Note the extra "Consent on behalf of your organisation"
As a global administrator you will be asked to Accept Delegation permissions for the whole organisation, meaning subsequent users will receive a cleaner logon flow and will not be further prompted for grant access rights.
To further this flow see step 3
Step 2 - Azure Admin Consent Screen
Once the initial logon is done a screen such as shown below will appear, this should show success and can be closed.
Step 3 - Azure Enterprise Applications
As a Global Administrator you should now be able to navigate to the following location :-
Azure Active Directory Admin Center > Dashboard > Enterprise Applications
You should now be able to see the installed Cloud Drive Mapper (V2) application
Once here, click on the application and click:- Permissions
You should now see the delegated permissions as per image below.
(However, if a NON Global Administrator was the first person to use CDM, then these permissions will not be populated and each subsequent user will be asked to consent, to avoid this a Global Admin can use the "Grant admin consent" button to populate the permissions seen below, this will then stop users form seeing a consent prompt. )
If at anytime you need any assistance then please contact our support desk who will be happy to help.
IAM Cloud's Technical Support Team.
Support Portal: http://support.iamcloud.com
Email us: firstname.lastname@example.org
Phone (UK): +44 118 324 0000
Phone (US): +1 914 495 1298
Any feedback on this article please contact email@example.com