Entra ID permissions and access with School Manager

This article is for IT Support. 

When syncing Microsoft Entra ID with School Manager, some customers believe that using a Global Admin account grants Linewize Global Admin access to their Entra ID account. This is a common misconception. In reality, only a certain level of admin access is needed to "install" an Enterprise Application, which defines the permissions we use.

Important: Security and privacy assurance

  1. Credential Storage: Linewize never stores your credentials.
  2. Permission Control: You control the permissions granted to the Linewize Sync application.
  3. Access Limitations: Linewize can only read data and cannot create or modify any information.

Permissions in Entra ID

Entra ID provides two types of access:

  1. Delegated Access
  2. Application Access

When you link School Manager with Entra ID, Linewize creates an Enterprise Application called Linewize Sync in your Entra ID account. This application uses both permission types to retrieve data for School Manager.

View permissions

To view the permissions:

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity > Applications > Enterprise applications > All applications.
  3. Select the Linewize Sync application.
  4. Select Permissions to view the granted permissions.

Permissions granted to Linewize Sync

When you link Entra ID, you grant the following permissions:

Microsoft Graph API

Permission Type
Directory.Read.All Application
Member.Read.Hidden Application
Directory.Read.All Delegated
Directory.AccessAsUser.All Delegated

Windows Azure Active Directory

Permission Type
Directory.Read.All Application
Group.Read.All Delegated
Directory.AccessAsUser.All Delegated
User.Read.All Delegated
User.Read Delegated

Important

  1. Linewize can only read data; it cannot create or modify any information.
  2. These permissions are limited to what you explicitly accept during the setup.


Image 1: Linewize Sync application permission request

Global or Domain Administrator requirement

Linewize recommends using a Global Administrator or Domain Administrator for the initial setup. These roles allow you to grant the necessary admin consent for the Enterprise Application registration. While it may be possible to use a less privileged user, the key granted during this process is what enables the application to function properly.

Important

Linewize does not store or retain your credentials. The account used only establishes the link and grants the permissions needed.

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.