Workspace 365 oAuth2 Single sign-on with Azure AD Explained

Table of Contents



In this article we will explain the working of the oAuth2 single sign-on method between Workspace 365 and Azure AD (Office 365).


Frequently asked questions & answers

How will Workspace 365 connect with Azure AD?

Workspace 365 will connect with Azure AD via an registered Azure AD application, which grants Workspace 365 permissions to use the desired API's.

Workspace 365 has the option to automatically create the Azure AD Application, so no user interaction is needed, only for the consent on the API permissions when the application is created. See this article for additional information.

Which changes will Workspace 365 make to our Office365 tenant when oAuth2 app is created?

None, Workspace 365 will only create a Authentication specific application in the Azure AD.

Which permissions does the Workspace 365 oAuth2 application need?

The following permissions are needed for a minimal functional Workspace 365 environment, which exclude SharePoint, Exchange, PowerBI:

The following permissions are needed for a functional Workspace 365 environment (Office 365 related), which include SharePoint, Exchange and Power BI:

These permission are all set on user level. These permission are not granted to the Workspace 365 environment itself, but to the user who signs in.

These permissions are also shown when you need to consent the application to grant permissions, which always needs to happen when you automatically create the oAuth2 Single sign-on application:

Why does Workspace 365 need these permissions?

These permissions are used to communicate with Office 365 based on the signed in user in Workspace 365, so that the user is able to open the documents, connect to SharePoint, connect to Outlook etc.

Will those permissions and changes affect my users?

No, these changes will not affect the users. 

Are there security risks involved?

No only the Workspace 365 environment which you created the Azure AD application with can access this application only when a user is signed in, and the oAuth2 implementation is fully Microsoft compliant.

Does Workspace 365 use impersonation to retrieve data in the Workspace 365 environment?

No, Workspace 365 uses the user token for that specific user to retrieve the data for that user to show in the Workspace 365 environment.

How can I limit the Workspace 365 Azure AD application so only specific people can use it?

This is not needed, because Workspace 365 handles this with its own user management, so the user has to be added to the Workspace 365 environment before it can sign in.

Back to top