Overview
Certain permissions are required to be granted in Microsoft Entra in order for the Cosmos platform to be able to work. This article outlines the permissions that are requested during a Cosmos onboarding and the reason for each permission that is granted.
Details
Cosmos Data Management
| API Name | Claim Value | Permission | Type | Reason |
|---|---|---|---|---|
| Dynamics 365 Business Central | API.ReadWrite.All | Full access to web services API | Application | Required to read data to Dynamics 365 Business Central API. We do not write data to BC but the only available permission is API.ReadWrite.All. |
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated | Required to read user profile information. |
Cosmos Excel Add-In
| API Name | Claim Value | Permission | Type | Reason |
|---|---|---|---|---|
| Microsoft Graph | profile | View users' basic profile | Delegated | Required to authenticate on behalf of a user from Excel. |
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated | Required to authenticate on behalf of a user from Excel. |
| Microsoft Graph | openid | Sign users in | Delegated | Required to authenticate on behalf of a user from Excel. |
Cosmos Portal
| API Name | Claim Value | Permission | Type | Reason |
|---|---|---|---|---|
| Cosmos Users and File Management | ManageUsersAndFiles | Manage Users and Reports | Delegated | Gives the Cosmos Portal permissions to interface with Users and File Management (see below). |
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated | Required to read user account information. |
| Microsoft Graph | openid | Sign users in | Delegated | Required to sign in to the Cosmos Portal with Entra. |
| Microsoft Graph | profile | View users' basic profile | Delegated | Required to get user profile information. |
| Microsoft Graph | offline_access | Maintain access to data you have given it access to | Delegated | Required to retrieve refresh tokens from Entra. |
| Power BI Service | Report.Read.All | View all reports | Delegated | Required to read Power BI reports. |
| Power BI Service | Workspace.Read.All | View all workspaces | Delegated | Required to read Power BI workspaces. |
Cosmos API Permissions
| API Name | Claim Value | Permission | Type | Reason |
|---|---|---|---|---|
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated | Required to authenticate against the Cosmos OData API. |
Cosmos Users and File Management
| API Name | Claim Value | Permission | Type | Reason |
|---|---|---|---|---|
| Microsoft Graph | Sites.FullControl.All | Have full control of all site collections | Delegated | Required to manage a selected SharePoint site that stores reports. Only used once on behalf of the onboarding admin when configuring the SharePoint site or when new environments are created in Cosmos to create the associated SharePoint site. |
| Microsoft Graph | Sites.Selected | Access selected site collections | Application | Ensures that Cosmos only has access to selected sites in SharePoint as determined by the admin during onboarding. |
| Microsoft Graph | User.Read.All | Read all users' full profiles | Application | Required to read user accounts information from Entra in order to manage Cosmos users. |
| Microsoft Graph | Group.ReadWrite.All | Read and write all groups | Delegated | Required to provision the SharePoint site used to store reports. Only used once on behalf of the admin when configuring File Storage during onboarding. |
| MicrosoftGraph | Sites.Selected | Access selected site collections | Delegated | Sames as application permission except performed on behalf of the Cosmos User. |
| Power BI Service | Report.Read.All | View all reports | Delegated | Required to read Power BI reports. |
| Power BI Service | Workspace.Read.All | View all workspaces | Delegated | Required to read Power BI workspaces. |
Comments
0 comments
Article is closed for comments.