You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
714 lines
35 KiB
714 lines
35 KiB
package azureadv2
|
|
|
|
type (
|
|
// ScopeType are the well known scopes which can be requested
|
|
ScopeType string
|
|
)
|
|
|
|
// OpenID Permissions
|
|
//
|
|
// You can use these permissions to specify artifacts that you want returned in Azure AD authorization and token
|
|
// requests. They are supported differently by the Azure AD v1.0 and v2.0 endpoints.
|
|
//
|
|
// With the Azure AD (v1.0) endpoint, only the openid permission is used. You specify it in the scope parameter in an
|
|
// authorization request to return an ID token when you use the OpenID Connect protocol to sign in a user to your app.
|
|
// For more information, see Authorize access to web applications using OpenID Connect and Azure Active Directory. To
|
|
// successfully return an ID token, you must also make sure that the User.Read permission is configured when you
|
|
// register your app.
|
|
//
|
|
// With the Azure AD v2.0 endpoint, you specify the offline_access permission in the scope parameter to explicitly
|
|
// request a refresh token when using the OAuth 2.0 or OpenID Connect protocols. With OpenID Connect, you specify the
|
|
// openid permission to request an ID token. You can also specify the email permission, profile permission, or both to
|
|
// return additional claims in the ID token. You do not need to specify User.Read to return an ID token with the v2.0
|
|
// endpoint. For more information, see OpenID Connect scopes.
|
|
const (
|
|
// OpenIDScope shows on the work account consent page as the "Sign you in" permission, and on the personal Microsoft
|
|
// account consent page as the "View your profile and connect to apps and services using your Microsoft account"
|
|
// permission. With this permission, an app can receive a unique identifier for the user in the form of the sub
|
|
// claim. It also gives the app access to the UserInfo endpoint. The openid scope can be used at the v2.0 token
|
|
// endpoint to acquire ID tokens, which can be used to secure HTTP calls between different components of an app.
|
|
OpenIDScope ScopeType = "openid"
|
|
|
|
// EmailScope can be used with the openid scope and any others. It gives the app access to the user's primary
|
|
// email address in the form of the email claim. The email claim is included in a token only if an email address is
|
|
// associated with the user account, which is not always the case. If it uses the email scope, your app should be
|
|
// prepared to handle a case in which the email claim does not exist in the token.
|
|
EmailScope ScopeType = "email"
|
|
|
|
// ProfileScope can be used with the openid scope and any others. It gives the app access to a substantial
|
|
// amount of information about the user. The information it can access includes, but is not limited to, the user's
|
|
// given name, surname, preferred username, and object ID. For a complete list of the profile claims available in
|
|
// the id_tokens parameter for a specific user, see the v2.0 tokens reference:
|
|
// https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-id-and-access-tokens.
|
|
ProfileScope ScopeType = "profile"
|
|
|
|
// OfflineAccessScope gives your app access to resources on behalf of the user for an extended time. On the work
|
|
// account consent page, this scope appears as the "Access your data anytime" permission. On the personal Microsoft
|
|
// account consent page, it appears as the "Access your info anytime" permission. When a user approves the
|
|
// offline_access scope, your app can receive refresh tokens from the v2.0 token endpoint. Refresh tokens are
|
|
// long-lived. Your app can get new access tokens as older ones expire.
|
|
//
|
|
// If your app does not request the offline_access scope, it won't receive refresh tokens. This means that when you
|
|
// redeem an authorization code in the OAuth 2.0 authorization code flow, you'll receive only an access token from
|
|
// the /token endpoint. The access token is valid for a short time. The access token usually expires in one hour.
|
|
// At that point, your app needs to redirect the user back to the /authorize endpoint to get a new authorization
|
|
// code. During this redirect, depending on the type of app, the user might need to enter their credentials again
|
|
// or consent again to permissions.
|
|
OfflineAccessScope ScopeType = "offline_access"
|
|
)
|
|
|
|
// Calendar Permissions
|
|
//
|
|
// Calendars.Read.Shared and Calendars.ReadWrite.Shared are only valid for work or school accounts. All other
|
|
// permissions are valid for both Microsoft accounts and work or school accounts.
|
|
//
|
|
// See also https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
|
|
const (
|
|
// CalendarsReadScope allows the app to read events in user calendars.
|
|
CalendarsReadScope ScopeType = "Calendars.Read"
|
|
|
|
// CalendarsReadSharedScope allows the app to read events in all calendars that the user can access, including
|
|
// delegate and shared calendars.
|
|
CalendarsReadSharedScope ScopeType = "Calendars.Read.Shared"
|
|
|
|
// CalendarsReadWriteScope allows the app to create, read, update, and delete events in user calendars.
|
|
CalendarsReadWriteScope ScopeType = "Calendars.ReadWrite"
|
|
|
|
// CalendarsReadWriteSharedScope allows the app to create, read, update and delete events in all calendars the user
|
|
// has permissions to access. This includes delegate and shared calendars.
|
|
CalendarsReadWriteSharedScope ScopeType = "Calendars.ReadWrite.Shared"
|
|
)
|
|
|
|
// Contacts Permissions
|
|
//
|
|
// Only the Contacts.Read and Contacts.ReadWrite delegated permissions are valid for Microsoft accounts.
|
|
//
|
|
// See also https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
|
|
const (
|
|
// ContactsReadScope allows the app to read contacts that the user has permissions to access, including the user's
|
|
// own and shared contacts.
|
|
ContactsReadScope ScopeType = "Contacts.Read"
|
|
|
|
// ContactsReadSharedScope allows the app to read contacts that the user has permissions to access, including the
|
|
// user's own and shared contacts.
|
|
ContactsReadSharedScope ScopeType = "Contacts.Read.Shared"
|
|
|
|
// ContactsReadWriteScope allows the app to create, read, update, and delete user contacts.
|
|
ContactsReadWriteScope ScopeType = "Contacts.ReadWrite"
|
|
|
|
// ContactsReadWriteSharedScope allows the app to create, read, update and delete contacts that the user has
|
|
// permissions to, including the user's own and shared contacts.
|
|
ContactsReadWriteSharedScope ScopeType = "Contacts.ReadWrite.Shared"
|
|
)
|
|
|
|
// Device Permissions
|
|
//
|
|
// The Device.Read and Device.Command delegated permissions are valid only for personal Microsoft accounts.
|
|
//
|
|
// See also https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
|
|
const (
|
|
// DeviceReadScope allows the app to read a user's list of devices on behalf of the signed-in user.
|
|
DeviceReadScope ScopeType = "Device.Read"
|
|
|
|
// DeviceCommandScope allows the app to launch another app or communicate with another app on a user's device on
|
|
// behalf of the signed-in user.
|
|
DeviceCommandScope ScopeType = "Device.Command"
|
|
)
|
|
|
|
// Directory Permissions
|
|
//
|
|
// Directory permissions are not supported on Microsoft accounts.
|
|
//
|
|
// Directory permissions provide the highest level of privilege for accessing directory resources such as User, Group,
|
|
// and Device in an organization.
|
|
//
|
|
// They also exclusively control access to other directory resources like: organizational contacts, schema extension
|
|
// APIs, Privileged Identity Management (PIM) APIs, as well as many of the resources and APIs listed under the Azure
|
|
// Active Directory node in the v1.0 and beta API reference documentation. These include administrative units, directory
|
|
// roles, directory settings, policy, and many more.
|
|
//
|
|
// The Directory.ReadWrite.All permission grants the following privileges:
|
|
// - Full read of all directory resources (both declared properties and navigation properties)
|
|
// - Create and update users
|
|
// - Disable and enable users (but not company administrator)
|
|
// - Set user alternative security id (but not administrators)
|
|
// - Create and update groups
|
|
// - Manage group memberships
|
|
// - Update group owner
|
|
// - Manage license assignments
|
|
// - Define schema extensions on applications
|
|
// - Note: No rights to reset user passwords
|
|
// - Note: No rights to delete resources (including users or groups)
|
|
// - Note: Specifically excludes create or update for resources not listed above. This includes: application,
|
|
// oAauth2Permissiongrant, appRoleAssignment, device, servicePrincipal, organization, domains, and so on.
|
|
//
|
|
// See also https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
|
|
const (
|
|
// DirectoryReadAllScope allows the app to read data in your organization's directory, such as users, groups and
|
|
// apps.
|
|
//
|
|
// Note: Users may consent to applications that require this permission if the application is registered in their
|
|
// own organization’s tenant.
|
|
//
|
|
// requires admin consent
|
|
DirectoryReadAllScope ScopeType = "Directory.Read.All"
|
|
|
|
// DirectoryReadWriteAllScope allows the app to read and write data in your organization's directory, such as users,
|
|
// and groups. It does not allow the app to delete users or groups, or reset user passwords.
|
|
//
|
|
// requires admin consent
|
|
DirectoryReadWriteAllScope ScopeType = "Directory.ReadWrite.All"
|
|
|
|
// DirectoryAccessAsUserAllScope allows the app to have the same access to information in the directory as the
|
|
// signed-in user.
|
|
//
|
|
// requires admin consent
|
|
DirectoryAccessAsUserAllScope ScopeType = "Directory.AccessAsUser.All"
|
|
)
|
|
|
|
// Education Administration Permissions
|
|
const (
|
|
// EduAdministrationReadScope allows the app to read education app settings on behalf of the user.
|
|
//
|
|
// requires admin consent
|
|
EduAdministrationReadScope ScopeType = "EduAdministration.Read"
|
|
|
|
// EduAdministrationReadWriteScope allows the app to manage education app settings on behalf of the user.
|
|
//
|
|
// requires admin consent
|
|
EduAdministrationReadWriteScope ScopeType = "EduAdministration.ReadWrite"
|
|
|
|
// EduAssignmentsReadBasicScope allows the app to read assignments without grades on behalf of the user
|
|
//
|
|
// requires admin consent
|
|
EduAssignmentsReadBasicScope ScopeType = "EduAssignments.ReadBasic"
|
|
|
|
// EduAssignmentsReadWriteBasicScope allows the app to read and write assignments without grades on behalf of the
|
|
// user
|
|
EduAssignmentsReadWriteBasicScope ScopeType = "EduAssignments.ReadWriteBasic"
|
|
|
|
// EduAssignmentsReadScope allows the app to read assignments and their grades on behalf of the user
|
|
//
|
|
// requires admin consent
|
|
EduAssignmentsReadScope ScopeType = "EduAssignments.Read"
|
|
|
|
// EduAssignmentsReadWriteScope allows the app to read and write assignments and their grades on behalf of the user
|
|
//
|
|
// requires admin consent
|
|
EduAssignmentsReadWriteScope ScopeType = "EduAssignments.ReadWrite"
|
|
|
|
// EduRosteringReadBasicScope allows the app to read a limited subset of the data from the structure of schools and
|
|
// classes in an organization's roster and education-specific information about users to be read on behalf of the
|
|
// user.
|
|
//
|
|
// requires admin consent
|
|
EduRosteringReadBasicScope ScopeType = "EduRostering.ReadBasic"
|
|
)
|
|
|
|
// Files Permissions
|
|
//
|
|
// The Files.Read, Files.ReadWrite, Files.Read.All, and Files.ReadWrite.All delegated permissions are valid on both
|
|
// personal Microsoft accounts and work or school accounts. Note that for personal accounts, Files.Read and
|
|
// Files.ReadWrite also grant access to files shared with the signed-in user.
|
|
//
|
|
// The Files.Read.Selected and Files.ReadWrite.Selected delegated permissions are only valid on work or school accounts
|
|
// and are only exposed for working with Office 365 file handlers (v1.0)
|
|
// https://msdn.microsoft.com/office/office365/howto/using-cross-suite-apps. They should not be used for directly
|
|
// calling Microsoft Graph APIs.
|
|
//
|
|
// The Files.ReadWrite.AppFolder delegated permission is only valid for personal accounts and is used for accessing the
|
|
// App Root special folder https://dev.onedrive.com/misc/appfolder.htm with the OneDrive Get special folder
|
|
// https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/drive_get_specialfolder Microsoft Graph API.
|
|
const (
|
|
// FilesReadScope allows the app to read the signed-in user's files.
|
|
FilesReadScope ScopeType = "Files.Read"
|
|
|
|
// FilesReadAllScope allows the app to read all files the signed-in user can access.
|
|
FilesReadAllScope ScopeType = "Files.Read.All"
|
|
|
|
// FilesReadWrite allows the app to read, create, update, and delete the signed-in user's files.
|
|
FilesReadWriteScope ScopeType = "Files.ReadWrite"
|
|
|
|
// FilesReadWriteAllScope allows the app to read, create, update, and delete all files the signed-in user can access.
|
|
FilesReadWriteAllScope ScopeType = "Files.ReadWrite.All"
|
|
|
|
// FilesReadWriteAppFolderScope allows the app to read, create, update, and delete files in the application's folder.
|
|
FilesReadWriteAppFolderScope ScopeType = "Files.ReadWrite.AppFolder"
|
|
|
|
// FilesReadSelectedScope allows the app to read files that the user selects. The app has access for several hours
|
|
// after the user selects a file.
|
|
//
|
|
// preview
|
|
FilesReadSelectedScope ScopeType = "Files.Read.Selected"
|
|
|
|
// FilesReadWriteSelectedScope allows the app to read and write files that the user selects. The app has access for
|
|
// several hours after the user selects a file
|
|
//
|
|
// preview
|
|
FilesReadWriteSelectedScope ScopeType = "Files.ReadWrite.Selected"
|
|
)
|
|
|
|
// Group Permissions
|
|
//
|
|
// Group functionality is not supported on personal Microsoft accounts.
|
|
//
|
|
// For Office 365 groups, Group permissions grant the app access to the contents of the group; for example,
|
|
// conversations, files, notes, and so on.
|
|
//
|
|
// For application permissions, there are some limitations for the APIs that are supported. For more information, see
|
|
// known issues.
|
|
//
|
|
// In some cases, an app may need Directory permissions to read some group properties like member and memberOf. For
|
|
// example, if a group has a one or more servicePrincipals as members, the app will need effective permissions to read
|
|
// service principals through being granted one of the Directory.* permissions, otherwise Microsoft Graph will return an
|
|
// error. (In the case of delegated permissions, the signed-in user will also need sufficient privileges in the
|
|
// organization to read service principals.) The same guidance applies for the memberOf property, which can return
|
|
// administrativeUnits.
|
|
//
|
|
// Group permissions are also used to control access to Microsoft Planner resources and APIs. Only delegated permissions
|
|
// are supported for Microsoft Planner APIs; application permissions are not supported. Personal Microsoft accounts are
|
|
// not supported.
|
|
const (
|
|
// GroupReadAllScope allows the app to list groups, and to read their properties and all group memberships on behalf
|
|
// of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for
|
|
// all groups the signed-in user can access.
|
|
GroupReadAllScope ScopeType = "Group.Read.All"
|
|
|
|
// GroupReadWriteAllScope allows the app to create groups and read all group properties and memberships on behalf of
|
|
// the signed-in user. Additionally allows group owners to manage their groups and allows group members to update
|
|
// group content.
|
|
GroupReadWriteAllScope ScopeType = "Group.ReadWrite.All"
|
|
)
|
|
|
|
// Identity Risk Event Permissions
|
|
//
|
|
// IdentityRiskEvent.Read.All is valid only for work or school accounts. For an app with delegated permissions to read
|
|
// identity risk information, the signed-in user must be a member of one of the following administrator roles: Global
|
|
// Administrator, Security Administrator, or Security Reader. For more information about administrator roles, see
|
|
// Assigning administrator roles in Azure Active Directory.
|
|
const (
|
|
// IdentityRiskEventReadAllScope allows the app to read identity risk event information for all users in your
|
|
// organization on behalf of the signed-in user.
|
|
//
|
|
// requires admin consent
|
|
IdentityRiskEventReadAllScope ScopeType = "IdentityRiskEvent.Read.All"
|
|
)
|
|
|
|
// Identity Provider Permissions
|
|
//
|
|
// IdentityProvider.Read.All and IdentityProvider.ReadWrite.All are valid only for work or school accounts. For an app
|
|
// to read or write identity providers with delegated permissions, the signed-in user must be assigned the Global
|
|
// Administrator role. For more information about administrator roles, see Assigning administrator roles in Azure Active
|
|
// Directory.
|
|
const (
|
|
// IdentityProviderReadAllScope allows the app to read identity providers configured in your Azure AD or Azure AD
|
|
// B2C tenant on behalf of the signed-in user.
|
|
//
|
|
// requires admin consent
|
|
IdentityProviderReadAllScope ScopeType = "IdentityProvider.Read.All"
|
|
|
|
// IdentityProviderReadWriteAllScope allows the app to read or write identity providers configured in your Azure AD
|
|
// or Azure AD B2C tenant on behalf of the signed-in user.
|
|
//
|
|
// requires admin consent
|
|
IdentityProviderReadWriteAllScope ScopeType = "IdentityProvider.ReadWrite.All"
|
|
)
|
|
|
|
// Device Management Permissions
|
|
//
|
|
// Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is
|
|
// correctly licensed by the customer.
|
|
//
|
|
// These permissions are only valid for work or school accounts.
|
|
const (
|
|
// DeviceManagementAppsReadAllScope allows the app to read the properties, group assignments and status of apps, app
|
|
// configurations and app protection policies managed by Microsoft Intune.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementAppsReadAllScope ScopeType = "DeviceManagementApps.Read.All"
|
|
|
|
// DeviceManagementAppsReadWriteAllScope allows the app to read and write the properties, group assignments and
|
|
// status of apps, app configurations and app protection policies managed by Microsoft Intune.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementAppsReadWriteAllScope ScopeType = "DeviceManagementApps.ReadWrite.All"
|
|
|
|
// DeviceManagementConfigurationReadAllScope allows the app to read properties of Microsoft Intune-managed device
|
|
// configuration and device compliance policies and their assignment to groups.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementConfigurationReadAllScope ScopeType = "DeviceManagementConfiguration.Read.All"
|
|
|
|
// DeviceManagementConfigurationReadWriteAllScope allows the app to read and write properties of Microsoft
|
|
// Intune-managed device configuration and device compliance policies and their assignment to groups.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementConfigurationReadWriteAllScope ScopeType = "DeviceManagementConfiguration.ReadWrite.All"
|
|
|
|
// DeviceManagementManagedDevicesPrivilegedOperationsAllScope allows the app to perform remote high impact actions
|
|
// such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementManagedDevicesPrivilegedOperationsAllScope ScopeType = "DeviceManagementManagedDevices.PrivilegedOperations.All"
|
|
|
|
// DeviceManagementManagedDevicesReadAllScope allows the app to read the properties of devices managed by Microsoft
|
|
// Intune.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementManagedDevicesReadAllScope ScopeType = "DeviceManagementManagedDevices.Read.All"
|
|
|
|
// DeviceManagementManagedDevicesReadWriteAllScope allows the app to read and write the properties of devices
|
|
// managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the
|
|
// device’s owner.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementManagedDevicesReadWriteAllScope ScopeType = "DeviceManagementManagedDevices.ReadWrite.All"
|
|
|
|
// DeviceManagementRBACReadAllScope allows the app to read the properties relating to the Microsoft Intune
|
|
// Role-Based Access Control (RBAC) settings.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementRBACReadAllScope ScopeType = "DeviceManagementRBAC.Read.All"
|
|
|
|
// DeviceManagementRBACReadWriteAllScope allows the app to read and write the properties relating to the Microsoft
|
|
// Intune Role-Based Access Control (RBAC) settings.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementRBACReadWriteAllScope ScopeType = "DeviceManagementRBAC.ReadWrite.All"
|
|
|
|
// DeviceManagementServiceConfigReadAllScope allows the app to read Intune service properties including device
|
|
// enrollment and third party service connection configuration.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementServiceConfigReadAllScope ScopeType = "DeviceManagementServiceConfig.Read.All"
|
|
|
|
// DeviceManagementServiceConfigReadWriteAllScope allows the app to read and write Microsoft Intune service
|
|
// properties including device enrollment and third party service connection configuration.
|
|
//
|
|
// requires admin consent
|
|
DeviceManagementServiceConfigReadWriteAllScope ScopeType = "DeviceManagementServiceConfig.ReadWrite.All"
|
|
)
|
|
|
|
// Mail Permissions
|
|
//
|
|
// Mail.Read.Shared, Mail.ReadWrite.Shared, and Mail.Send.Shared are only valid for work or school accounts. All other
|
|
// permissions are valid for both Microsoft accounts and work or school accounts.
|
|
//
|
|
// With the Mail.Send or Mail.Send.Shared permission, an app can send mail and save a copy to the user's Sent Items
|
|
// folder, even if the app does not use a corresponding Mail.ReadWrite or Mail.ReadWrite.Shared permission.
|
|
const (
|
|
// MailReadScope allows the app to read email in user mailboxes.
|
|
MailReadScope ScopeType = "Mail.Read"
|
|
|
|
// MailReadWriteScope allows the app to create, read, update, and delete email in user mailboxes. Does not include
|
|
// permission to send mail.
|
|
MailReadWriteScope ScopeType = "Mail.ReadWrite"
|
|
|
|
// MailReadSharedScope allows the app to read mail that the user can access, including the user's own and shared
|
|
// mail.
|
|
MailReadSharedScope ScopeType = "Mail.Read.Shared"
|
|
|
|
// MailReadWriteSharedScope allows the app to create, read, update, and delete mail that the user has permission to
|
|
// access, including the user's own and shared mail. Does not include permission to send mail.
|
|
MailReadWriteSharedScope ScopeType = "Mail.ReadWrite.Shared"
|
|
|
|
// MailSend allowsScope the app to send mail as users in the organization.
|
|
MailSendScope ScopeType = "Mail.Send"
|
|
|
|
// MailSendSharedScope allows the app to send mail as the signed-in user, including sending on-behalf of others.
|
|
MailSendSharedScope ScopeType = "Mail.Send.Shared"
|
|
|
|
// MailboxSettingsReadScope allows the app to the read user's mailbox settings. Does not include permission to send
|
|
// mail.
|
|
MailboxSettingsReadScope ScopeType = "Mailbox.Settings.Read"
|
|
|
|
// MailboxSettingsReadWriteScope allows the app to create, read, update, and delete user's mailbox settings. Does
|
|
// not include permission to directly send mail, but allows the app to create rules that can forward or redirect
|
|
// messages.
|
|
MailboxSettingsReadWriteScope ScopeType = "MailboxSettings.ReadWrite"
|
|
)
|
|
|
|
// Member Permissions
|
|
//
|
|
// Member.Read.Hidden is valid only on work or school accounts.
|
|
//
|
|
// Membership in some Office 365 groups can be hidden. This means that only the members of the group can view its
|
|
// members. This feature can be used to help comply with regulations that require an organization to hide group
|
|
// membership from outsiders (for example, an Office 365 group that represents students enrolled in a class).
|
|
const (
|
|
// MemberReadHiddenScope allows the app to read the memberships of hidden groups and administrative units on behalf
|
|
// of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to.
|
|
//
|
|
// requires admin consent
|
|
MemberReadHiddenScope ScopeType = "Member.Read.Hidden"
|
|
)
|
|
|
|
// Notes Permissions
|
|
//
|
|
// Notes.Read.All and Notes.ReadWrite.All are only valid for work or school accounts. All other permissions are valid
|
|
// for both Microsoft accounts and work or school accounts.
|
|
//
|
|
// With the Notes.Create permission, an app can view the OneNote notebook hierarchy of the signed-in user and create
|
|
// OneNote content (notebooks, section groups, sections, pages, etc.).
|
|
//
|
|
// Notes.ReadWrite and Notes.ReadWrite.All also allow the app to modify the permissions on the OneNote content that can
|
|
// be accessed by the signed-in user.
|
|
//
|
|
// For work or school accounts, Notes.Read.All and Notes.ReadWrite.All allow the app to access other users' OneNote
|
|
// content that the signed-in user has permission to within the organization.
|
|
const (
|
|
// NotesReadScope allows the app to read OneNote notebooks on behalf of the signed-in user.
|
|
NotesReadScope ScopeType = "Notes.Read"
|
|
|
|
// NotesCreateScope allows the app to read the titles of OneNote notebooks and sections and to create new pages,
|
|
// notebooks, and sections on behalf of the signed-in user.
|
|
NotesCreateScope ScopeType = "Notes.Create"
|
|
|
|
// NotesReadWriteScope allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user.
|
|
NotesReadWriteScope ScopeType = "Notes.ReadWrite"
|
|
|
|
// NotesReadAllScope allows the app to read OneNote notebooks that the signed-in user has access to in the
|
|
// organization.
|
|
NotesReadAllScope ScopeType = "Notes.Read.All"
|
|
|
|
// NotesReadWriteAllScope allows the app to read, share, and modify OneNote notebooks that the signed-in user has
|
|
// access to in the organization.
|
|
NotesReadWriteAllScope ScopeType = "Notes.ReadWrite.All"
|
|
)
|
|
|
|
// People Permissions
|
|
//
|
|
// The People.Read.All permission is only valid for work and school accounts.
|
|
const (
|
|
// PeopleReadScope allows the app to read a scored list of people relevant to the signed-in user. The list can
|
|
// include local contacts, contacts from social networking or your organization's directory, and people from recent
|
|
// communications (such as email and Skype).
|
|
PeopleReadScope ScopeType = "People.Read"
|
|
|
|
// PeopleReadAllScope allows the app to read a scored list of people relevant to the signed-in user or other users
|
|
// in the signed-in user's organization. The list can include local contacts, contacts from social networking or
|
|
// your organization's directory, and people from recent communications (such as email and Skype). Also allows the
|
|
// app to search the entire directory of the signed-in user's organization.
|
|
//
|
|
// requires admin consent
|
|
PeopleReadAllScope ScopeType = "People.Read.All"
|
|
)
|
|
|
|
// Report Permissions
|
|
//
|
|
// Reports permissions are only valid for work or school accounts.
|
|
const (
|
|
// ReportsReadAllScope allows an app to read all service usage reports without a signed-in user. Services that
|
|
// provide usage reports include Office 365 and Azure Active Directory.
|
|
//
|
|
// requires admin consent
|
|
ReportsReadAllScope ScopeType = "Reports.Read.All"
|
|
)
|
|
|
|
// Security Permissions
|
|
//
|
|
// Security permissions are valid only on work or school accounts.
|
|
const (
|
|
// SecurityEventsReadAllScope allows the app to read your organization’s security events on behalf of the signed-in
|
|
// user.
|
|
// requires admin consent
|
|
SecurityEventsReadAllScope ScopeType = "SecurityEvents.Read.All"
|
|
|
|
// SecurityEventsReadWriteAllScope allows the app to read your organization’s security events on behalf of the
|
|
// signed-in user. Also allows the app to update editable properties in security events on behalf of the signed-in
|
|
// user.
|
|
//
|
|
// requires admin consent
|
|
SecurityEventsReadWriteAllScope ScopeType = "SecurityEvents.ReadWrite.All"
|
|
)
|
|
|
|
// Sites Permissions
|
|
//
|
|
// Sites permissions are valid only on work or school accounts.
|
|
const (
|
|
// SitesReadAllScope allows the app to read documents and list items in all site collections on behalf of the
|
|
// signed-in user.
|
|
SitesReadAllScope ScopeType = "Sites.Read.All"
|
|
|
|
// SitesReadWriteAllScope allows the app to edit or delete documents and list items in all site collections on
|
|
// behalf of the signed-in user.
|
|
SitesReadWriteAllScope ScopeType = "Sites.ReadWrite.All"
|
|
|
|
// SitesManageAllScope allows the app to manage and create lists, documents, and list items in all site collections
|
|
// on behalf of the signed-in user.
|
|
SitesManageAllScope ScopeType = "Sites.Manage.All"
|
|
|
|
// SitesFullControlAllScope allows the app to have full control to SharePoint sites in all site collections on
|
|
// behalf of the signed-in user.
|
|
//
|
|
// requires admin consent
|
|
SitesFullControlAllScope ScopeType = "Sites.FullControl.All"
|
|
)
|
|
|
|
// Tasks Permissions
|
|
//
|
|
// Tasks permissions are used to control access for Outlook tasks. Access for Microsoft Planner tasks is controlled by
|
|
// Group permissions.
|
|
//
|
|
// Shared permissions are currently only supported for work or school accounts. Even with Shared permissions, reads and
|
|
// writes may fail if the user who owns the shared content has not granted the accessing user permissions to modify
|
|
// content within the folder.
|
|
const (
|
|
// TasksReadScope allows the app to read user tasks.
|
|
TasksReadScope ScopeType = "Tasks.Read"
|
|
|
|
// TasksReadSharedScope allows the app to read tasks a user has permissions to access, including their own and
|
|
// shared tasks.
|
|
TasksReadSharedScope ScopeType = "Tasks.Read.Shared"
|
|
|
|
// TasksReadWriteScope allows the app to create, read, update and delete tasks and containers (and tasks in them)
|
|
// that are assigned to or shared with the signed-in user.
|
|
TasksReadWriteScope ScopeType = "Tasks.ReadWrite"
|
|
|
|
// TasksReadWriteSharedScope allows the app to create, read, update, and delete tasks a user has permissions to,
|
|
// including their own and shared tasks.
|
|
TasksReadWriteSharedScope ScopeType = "Tasks.ReadWrite.Shared"
|
|
)
|
|
|
|
// Terms of Use Permissions
|
|
//
|
|
// All the permissions above are valid only for work or school accounts.
|
|
//
|
|
// For an app to read or write all agreements or agreement acceptances with delegated permissions, the signed-in user
|
|
// must be assigned the Global Administrator, Conditional Access Administrator or Security Administrator role. For more
|
|
// information about administrator roles, see Assigning administrator roles in Azure Active Directory
|
|
// https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles.
|
|
const (
|
|
// AgreementReadAllScope allows the app to read terms of use agreements on behalf of the signed-in user.
|
|
//
|
|
// requires admin consent
|
|
AgreementReadAllScope ScopeType = "Agreement.Read.All"
|
|
|
|
// AgreementReadWriteAllScope allows the app to read and write terms of use agreements on behalf of the signed-in
|
|
// user.
|
|
//
|
|
// requires admin consent
|
|
AgreementReadWriteAllScope ScopeType = "Agreement.ReadWrite.All"
|
|
|
|
// AgreementAcceptanceReadScope allows the app to read terms of use acceptance statuses on behalf of the signed-in
|
|
// user.
|
|
//
|
|
// requires admin consent
|
|
AgreementAcceptanceReadScope ScopeType = "AgreementAcceptance.Read"
|
|
|
|
// AgreementAcceptanceReadAllScope allows the app to read terms of use acceptance statuses on behalf of the
|
|
// signed-in user.
|
|
//
|
|
// requires admin consent
|
|
AgreementAcceptanceReadAllScope ScopeType = "AgreementAcceptance.Read.All"
|
|
)
|
|
|
|
// User Permissions
|
|
//
|
|
// The only permissions valid for Microsoft accounts are User.Read and User.ReadWrite. For work or school accounts, all
|
|
// permissions are valid.
|
|
//
|
|
// With the User.Read permission, an app can also read the basic company information of the signed-in user for a work or
|
|
// school account through the organization resource. The following properties are available: id, displayName, and
|
|
// verifiedDomains.
|
|
//
|
|
// For work or school accounts, the full profile includes all of the declared properties of the User resource. On reads,
|
|
// only a limited number of properties are returned by default. To read properties that are not in the default set, use
|
|
// $select. The default properties are:
|
|
// displayName
|
|
// givenName
|
|
// jobTitle
|
|
// mail
|
|
// mobilePhone
|
|
// officeLocation
|
|
// preferredLanguage
|
|
// surname
|
|
// userPrincipalName
|
|
//
|
|
// User.ReadWrite and User.Readwrite.All delegated permissions allow the app to update the following profile properties
|
|
// for work or school accounts:
|
|
// aboutMe
|
|
// birthday
|
|
// hireDate
|
|
// interests
|
|
// mobilePhone
|
|
// mySite
|
|
// pastProjects
|
|
// photo
|
|
// preferredName
|
|
// responsibilities
|
|
// schools
|
|
// skills
|
|
//
|
|
// With the User.ReadWrite.All application permission, the app can update all of the declared properties of work or
|
|
// school accounts except for password.
|
|
//
|
|
// To read or write direct reports (directReports) or the manager (manager) of a work or school account, the app must
|
|
// have either User.Read.All (read only) or User.ReadWrite.All.
|
|
//
|
|
// The User.ReadBasic.All permission constrains app access to a limited set of properties known as the basic profile.
|
|
// This is because the full profile might contain sensitive directory information. The basic profile includes only the
|
|
// following properties:
|
|
// displayName
|
|
// givenName
|
|
// mail
|
|
// photo
|
|
// surname
|
|
// userPrincipalName
|
|
//
|
|
// To read the group memberships of a user (memberOf), the app must have either Group.Read.All or Group.ReadWrite.All.
|
|
// However, if the user also has membership in a directoryRole or an administrativeUnit, the app will need effective
|
|
// permissions to read those resources too, or Microsoft Graph will return an error. This means the app will also need
|
|
// Directory permissions, and, for delegated permissions, the signed-in user will also need sufficient privileges in the
|
|
// organization to access directory roles and administrative units.
|
|
const (
|
|
// UserReadScope allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It
|
|
// also allows the app to read basic company information of signed-in users.
|
|
UserReadScope ScopeType = "User.Read"
|
|
|
|
// UserReadWriteScope allows the app to read the signed-in user's full profile. It also allows the app to update the
|
|
// signed-in user's profile information on their behalf.
|
|
UserReadWriteScope ScopeType = "User.ReadWrite"
|
|
|
|
// UserReadBasicAllScope allows the app to read a basic set of profile properties of other users in your
|
|
// organization on behalf of the signed-in user. This includes display name, first and last name, email address,
|
|
// open extensions and photo. Also allows the app to read the full profile of the signed-in user.
|
|
UserReadBasicAllScope ScopeType = "User.ReadBasic.All"
|
|
|
|
// UserReadAllScope allows the app to read the full set of profile properties, reports, and managers of other users
|
|
// in your organization, on behalf of the signed-in user.
|
|
//
|
|
// requires admin consent
|
|
UserReadAllScope ScopeType = "User.Read.All"
|
|
|
|
// UserReadWriteAllScope allows the app to read and write the full set of profile properties, reports, and managers
|
|
// of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete
|
|
// users as well as reset user passwords on behalf of the signed-in user.
|
|
//
|
|
// requires admin consent
|
|
UserReadWriteAllScope ScopeType = "User.ReadWrite.All"
|
|
|
|
// UserInviteAllScope allows the app to invite guest users to your organization, on behalf of the signed-in user.
|
|
//
|
|
// requires admin consent
|
|
UserInviteAllScope ScopeType = "User.Invite.All"
|
|
|
|
// UserExportAllScope allows the app to export an organizational user's data, when performed by a Company
|
|
// Administrator.
|
|
//
|
|
// requires admin consent
|
|
UserExportAllScope ScopeType = "User.Export.All"
|
|
)
|
|
|
|
// User Activity Permissions
|
|
//
|
|
// UserActivity.ReadWrite.CreatedByApp is valid for both Microsoft accounts and work or school accounts.
|
|
//
|
|
// The CreatedByApp constraint associated with this permission indicates the service will apply implicit filtering to
|
|
// results based on the identity of the calling app, either the MSA app id or a set of app ids configured for a
|
|
// cross-platform application identity.
|
|
const (
|
|
// UserActivityReadWriteCreatedByAppScope allows the app to read and report the signed-in user's activity in the
|
|
// app.
|
|
UserActivityReadWriteCreatedByAppScope ScopeType = "UserActivity.ReadWrite.CreatedByApp"
|
|
)
|
|
|