Sign in permissions for this network: Access your data anytime?

MVP

Hi Network managers. Bob McKeating has a question about the sign in requirements for this network. When you sign in with your Office 365 account it advises:

O365 Network needs permission to:

  • View your basic profile
  • Sign in as you
  • View your email address
  • Access your data anytime
  • Sign you in and read your profile

Like Bob, I'm also wondering what "Access our data anytime" means. 

Can you clarify? 

CC: @Michael Holste@Lana O'Brien@Anna Chu@Jeff Medford

7 Replies

Hey Darrell, per Jeff's response here: "As with any app that uses Azure AD/SSO there is a minimum set of calls needed to authenticate the user and then a set of information that you grant access to.

Graph Info Here: https://graph.microsoft.io/en-us/
We are using OAUTH v2
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/

We are currently using "User.Read openid email profile offline_access" as the scope and then we are placing email, first name, last name, and company name into your community profile to create the account so that it has your first and last name."

These are all very standard and are a minimum set of info for the community to simply place you into a profile that you can then completely choose the right information and settings for your liking.

You can also use a Microsoft Account, which is not tied to your organization, as we have enabled both methods for authorization." 

Thank you for making an effort but I do not think this is a very reassuring answer to the question.

I would very much like our users to NOT to accept an agreement that gives a site permission to "access your data anytime" without a detailed description (immediately available, not by Googling) of exactly what data that would be.

It seems I am not the only one who finds the wording unfortunate.  :o)

 

Sincerely,

Jonas

Hi,
I fully agree the following permissions requested I have hard to accept with my Organizations ID:

MS Tech Comm needs permission to:
View your basic profile - Allows the app to see your basic profile (name, picture, user name) - OK
View your email address - Allows the app to read your primary email address - OK
Access your data anytime - Allows the app to see and update your data, even when you are not currently using the app. - NOT OK
Sign in as you - Allows you to sign in to the app with your work or school account and allows the app to read your basic profile information. - NOT OK
Sign you in and read your profile - Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. - Why when you already have the basic profile?

So, can someone explain why "Sing in as you" and "Access your data anytime" is required?

/Adam

Hey Adam, 

 

That just gives SSO the permission to sign you in, it doesn't mean it will sign you into the Tech Community at any time.  Here's a copy/paste about how this works:  

 

Here is the exact call that we are making to graph.microsoft.com , hopefully to help ease your concerns. As with any app that uses Azure AD/SSO there is a minimum set of calls needed to authenticate the user and then a set of information that you grant access to. 

Graph Info Here: https://graph.microsoft.io/en-us/
We are using OAUTH v2
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/

We are currently using "User.Read openid email profile offline_access" as the scope and then we are placing email, first name, last name, and company name into your community profile to create the account so that it has your first and last name.

These are all very standard and are a minimum set of info for the community to simply place you into a profile that you can then completely choose the right information and settings for your liking.

Hope that helps! 

Why does the prompt not explicitly declare each piece of data that it will be granted access to? This makes it very difficult to accept the access request. "Access your data anytime" sounds very ominous without clarifications, and there are no clarifications without doing a web search and finding this thread.

How do I revoke permissions once I have accepted them?

You'd likely have to delete your account. And for the record, these permissions primarily grant the sign in app the permission to access your info in order to sign you in using your personal or organizational account. We can still only see the information listed in your profile and your email address. This is a boilerplate permission page used by Microsoft wherever users have to sign into a page (it's not in relation to the Tech Community itself)..