Work 365 uses Azure Active Directory (AAD) for identity management. When a user logs into Work 365, they are signing in using their AAD account. User credentials are not stored within Work 365. The following two permissions are requested from AAD.
- Read the logged-in user’s profile
This access is required for us in order to read basic user properties such as name, email address.
- Access Common Data Service as the logged-in user
This access is required to connect to the Dynamics 365 tenant associated with Work 365.
How do I provide permissions to the Work 365 application?
The process of providing permissions to Work 365 application is known as a "Consent"; which can be granted by clicking on a this link and logging in as a Global Administrator.
Why do I need a Global Administrator to grant these permissions?
The permissions requested by Work 365 are low impact permissions. There are two reasons why a Global Administrator needs to grant these permissions.
- By granting organization level access, individual users are not prompted for this permission.
- This also creates a service principal for the Work 365 application within the organizations’ Azure Active Directory that can be used as an “Application User” for connecting with Dynamics 365.
The following prompt will be shown for a Global Administrator to grant the required permissions.