When syncing Microsoft Entra ID with School Manager, some customers believe that using a Global Admin account grants Linewize Global Admin access to their Entra ID account. This is a common misconception. In reality, only a certain level of admin access is needed to "install" an Enterprise Application, which defines the permissions we use.
Important: Security and privacy assurance
- Credential Storage: Linewize never stores your credentials.
- Permission Control: You control the permissions granted to the Linewize Sync application.
- Access Limitations: Linewize can only read data and cannot create or modify any information.
Permissions in Entra ID
Entra ID provides two types of access:
- Delegated Access
- Application Access
When you link School Manager with Entra ID, Linewize creates an Enterprise Application called Linewize Sync in your Entra ID account. This application uses both permission types to retrieve data for School Manager.
View permissions
To view the permissions:
- Sign in to the Microsoft Entra admin center.
- Go to Identity > Applications > Enterprise applications > All applications.
- Select the Linewize Sync application.
- Select Permissions to view the granted permissions.
Permissions granted to Linewize Sync
When you link Entra ID, you grant the following permissions:
Microsoft Graph API
Permission | Type |
---|---|
Directory.Read.All | Application |
Member.Read.Hidden | Application |
Directory.Read.All | Delegated |
Directory.AccessAsUser.All | Delegated |
Windows Azure Active Directory
Permission | Type |
---|---|
Directory.Read.All | Application |
Group.Read.All | Delegated |
Directory.AccessAsUser.All | Delegated |
User.Read.All | Delegated |
User.Read | Delegated |
Important
- Linewize can only read data; it cannot create or modify any information.
- These permissions are limited to what you explicitly accept during the setup.
Image 1: Linewize Sync application permission request
Global or Domain Administrator requirement
Linewize recommends using a Global Administrator or Domain Administrator for the initial setup. These roles allow you to grant the necessary admin consent for the Enterprise Application registration. While it may be possible to use a less privileged user, the key granted during this process is what enables the application to function properly.
Important
Linewize does not store or retain your credentials. The account used only establishes the link and grants the permissions needed.
Comments
0 commentsPlease sign in to leave a comment.