Description
Consent in Converge to Microsoft 365 - what permissions does it give and how secure is it?
Requirements
To be able to consent Converge to access Microsoft 365, you will need
- An admin login to Converge
- Global admin credentials to the relevant Microsoft 365 tenancy
What access does consent give, is it secure what advantages does it give?
When requesting consent, this will give the following access for Converge. This does not create an account, it creates a token that Converge uses to access the tenancy. There is no username and password for a person to use. When someone with Converge admin rights in your partner organisation, or a Manage Protect admin logs in to Converge, they use that token to act as Converge, and thus have the same rights. While this is an admin access token, it is limited in what it can do to what has been programmed into Converge, which is detailed below.
Read organization information
Read all usage reports
Edit or delete items in all site collections
Read and write user and shared tasks
Read and write access to user profile
Read all users' basic profiles
Read all users' full profiles
Read and write all users' full profiles
Read all groups
Read and write all groups
Read directory data
Read and write directory data
Access directory as the signed in user
Have full access to all files user can access
Read items in all site collections
Create, read, update, and delete user’s tasks and task lists
Read and write all directory RBAC settings
Read and write organization information
Read and write all users' full profiles
Read all usage reports
Read all groups
Read and write directory data
What does Converge use the consent for?
- Provisioning Backup365
- Counting mailbox licenses to automatically calculate billing numbers for MPmail and Avanan.
- Displaying the users and their licenses.
- Creating users directly from Converge.
The Process
To authorise (consent) Converge to have access to a tenancy
Log into Converge and select the customer.
Select the Office 365 service.
Click authorise at right.
A Microsoft 365 window will pop up and request global admin credentials.
Enter the credentials.
Microsoft 365 will ask you to confirm that you want to give a third party app access to the tenancy.
Confirm that.
The tenant is now consented.