Workspace 365 oAuth2 Single sign on with Azure AD Explained
In this article we will explain the working of the oAuth2 single sign on method between Workspace 365 and Azure AD(Office 365)
Hereby some questions and answers:
- How will Workspace 365 connect with Azure AD?
Workspace 365 will connect with Azure AD via an registered Azure AD application, which grants Workspace 365 permissions to use the desired API's.
Workspace 365 has the option to automatically create the Azure AD Application, so no user interaction is needed, only for the consent on the API permissions when the application is created. See this article for additional information.
- Which changes will Workspace 365 make to our Office365 tenant when oAuth2 app is created.
None, Workspace 365 will only create a Authentication specific application in the Azure AD.
- Which permissions does the Workspace 365 oAuth2 application need
The following permissions are needed for a minimal functional Workspace 365 environment, which exclude SharePoint, Exchange, PowerBI:
The following permissions are needed for a functional Workspace 365 environment (Office 365 related) , which include SharePoint, Exchange and PowerBI:
These permissions are also shown when you need to consent the application to grant permissions, which always needs to happen when you automatically create the oAuth2 single sign on application:
- Why does Workspace 365 needs these permissions?
These permissions are used to communicate with Office 365 based on the signed in user in Workspace 365, so that the user is able to open the documents, connect to SharePoint, connect to Outlook etc.
- Will those permissions and changes affect my users?
No these changes will not affect the users.
- Are there security risks involved ?
No only the Workspace 365 environment which you created the Azure AD application with can access this application only when a user is signed in, and the oAuth2 implementation is fully Microsoft compliant.
- Does Workspace 365 use impersonation to retreive data in the Workspace 365 environment?
No, Workspace 365 uses the user token for that specific user to retrieve the data for that user to show in the Workspace 365 environment.
- How can i limit the Workspace 365 Azure AD application so only specific people can use it?
This is not needed, because Workspace 365 handles this with its own user management, so the user has to be added to the Workspace 365 environment before it can sign in.