Setting up Modern Auth o365 without global admin rights?

fswest · ‎08-31-2022

Good afternoon,

My team is but a small department within our much wider organization, and have been using Lansweeper's Help Desk feature successfully for years. With the move away from legacy auth, we have begun the process that Lansweeper outlined here:

https://www.lansweeper.com/knowledgebase/microsoft-graph-email-configuration/

The problem we are running into is at the larger permissions level and for step 2 "admin consent". Given that we are a smaller department, and we have an overarching IT department, I reached out to them for support. They mentioned that the "admin consent" portion was extremely risky, and are thereby not terribly willing to process it. They mentioned that for 3rd party software that 'hasnt fully implemented' oauth, that we would either have to wait on the 3rd party, or find a new vendor.

Question:

Is there a way to setup modern auth that doesnt require admin consent at that high of a level? If not, is there another path forward with Lansweeper *in house* that would allow for this? If not, I'm open to other suggestions. Someone mentioned the idea of using an OAUTH from a non-company email, but that seems like a less-than-ideal 'solution'.

Open to thoughts, please and thank you 🙂

ErikT · ‎09-05-2022

@fswest By default, when granting admin consent, as explained in the article, your application will have access to all mailboxes in your O365 tenant. However, you can restrict this further by configuring the "ApplicationAccessPolicy", to limit application permissions to a specific Exchange Online mailbox.

Added note:

The restrictions must be set for the e-mail address/mailbox you use for the Lansweeper Helpdesk. The app will then only have access to that mailbox.

View solution in original post

ErikT · ‎09-07-2022

@ksnow hey there, yes, the restrictions need to be set for the e-mail address/mailbox you use for the helpdesk. The app will only have access to that mailbox instead of all mailboxes.

ksnow · ‎09-07-2022

Thank you, that helped clarify that setting for me. The User.Read.All permission is still a concern, though, since it would still allow the app to read every user profile in the org including group memberships. Is there a way to reduce or drop that app permission and still be able to send/receive e-mail with LS? Even if it would mean losing some functionality that still might be preferable to losing the entire thing once basic authentication is blocked.

ErikT · ‎09-05-2022

@fswest By default, when granting admin consent, as explained in the article, your application will have access to all mailboxes in your O365 tenant. However, you can restrict this further by configuring the "ApplicationAccessPolicy", to limit application permissions to a specific Exchange Online mailbox.

Added note:

The restrictions must be set for the e-mail address/mailbox you use for the Lansweeper Helpdesk. The app will then only have access to that mailbox.

ksnow · ‎09-06-2022

Would that mailbox restriction be for the e-mail address we use for the helpdesk or for the set of users who'd need to be able to open tickets? I'm in a similar situation as OP - small office that's part of a much larger organization who are concerned about the app having access to every user's mailbox in the organization.

Setting up Modern Auth o365 without global admin rights?

New to Lansweeper?

Try Lansweeper For Free