This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Setting up Modern Auth o365 without global admin rights?

Go to solution
fswest
Engaged Sweeper

‎08-31-2022 09:13 PM

Good afternoon,

My team is but a small department within our much wider organization, and have been using Lansweeper's Help Desk feature successfully for years.  With the move away from legacy auth, we have begun the process that Lansweeper outlined here: 

 https://www.lansweeper.com/knowledgebase/microsoft-graph-email-configuration/

The problem we are running into is at the larger permissions level and for step 2 "admin consent".  Given that we are a smaller department, and we have an overarching IT department, I reached out to them for support.  They mentioned that the "admin consent" portion was extremely risky, and are thereby not terribly willing to process it.  They mentioned that for 3rd party software that 'hasnt fully implemented' oauth, that we would either have to wait on the 3rd party, or find a new vendor.

Question:

Is there a way to setup modern auth that doesnt require admin consent at that high of a level?  If not, is there another path forward with Lansweeper *in house* that would allow for this?  If not, I'm open to other suggestions.  Someone mentioned the idea of using an OAUTH from a non-company email, but that seems like a less-than-ideal 'solution'.

 

Open to thoughts, please and thank you 🙂

Labels:
1 ACCEPTED SOLUTION
Go to solution
ErikT
Lansweeper Tech Support
Lansweeper Tech Support

‎09-05-2022 04:13 PM - edited ‎09-07-2022 08:09 AM

@fswest By default, when granting admin consent, as explained in the article, your application will have access to all mailboxes in your O365 tenant. However, you can restrict this further by configuring the  "ApplicationAccessPolicy", to limit application permissions to a specific Exchange Online mailbox.

Added note:

The restrictions must be set for the e-mail address/mailbox you use for the Lansweeper Helpdesk. The app will then only have access to that mailbox.

 

 

View solution in original post

4 REPLIES 4
Go to solution
ErikT
Lansweeper Tech Support
Lansweeper Tech Support

‎09-07-2022 08:07 AM

@ksnow hey there, yes, the restrictions need to be set for the e-mail address/mailbox you use for the helpdesk. The app will only have access to that mailbox instead of all mailboxes.

0 Kudos
Go to solution
ksnow
Engaged Sweeper
In response to ErikT

‎09-07-2022 04:45 PM

Thank you, that helped clarify that setting for me. The User.Read.All permission is still a concern, though, since it would still allow the app to read every user profile in the org including group memberships. Is there a way to reduce or drop that app permission and still be able to send/receive e-mail with LS? Even if it would mean losing some functionality that still might be preferable to losing the entire thing once basic authentication is blocked.

0 Kudos
Go to solution
ErikT
Lansweeper Tech Support
Lansweeper Tech Support

‎09-05-2022 04:13 PM - edited ‎09-07-2022 08:09 AM

@fswest By default, when granting admin consent, as explained in the article, your application will have access to all mailboxes in your O365 tenant. However, you can restrict this further by configuring the  "ApplicationAccessPolicy", to limit application permissions to a specific Exchange Online mailbox.

Added note:

The restrictions must be set for the e-mail address/mailbox you use for the Lansweeper Helpdesk. The app will then only have access to that mailbox.

 

 

Go to solution
ksnow
Engaged Sweeper
In response to ErikT

‎09-06-2022 10:58 PM

Would that mailbox restriction be for the e-mail address we use for the helpdesk or for the set of users who'd need to be able to open tickets? I'm in a similar situation as OP - small office that's part of a much larger organization who are concerned about the app having access to every user's mailbox in the organization.

General Discussions

Find answers to technical questions about Lansweeper.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now