We would like to enable OneDrive access for our domain-joined Ubuntu 24.04 user-base.
Integration using gnome-online-accounts using a “Microsoft 365” acc type and Nautilus works wo issues in our test env, but we got some push-back from our Entra ID folks regarding the default permission model.
MS Graph permissions required by a “Microsoft 365” account:
files.readwrite
files.readwrite.all
offline_access
sites.read.all
sites.readwrite.all
user.read
mail.readwrite
contacts.readwrite
For OneDrive access, we only need
files.readwrite
files.readwrite.all
offline_access
user.read
Culprit in our case are the sharepoint and exchange online perms(well, mostly sharepoint, we need mail perms anyway)
My questions to you:
Sharepoint permissions should be user-scoped so should not really present a problem but we did not hear from our SP gurus yet…
If the above is not the case, can we define a dedicated 365 OneDrive account type/service with only a limited set of permissions(any pointers welcome)
Actually MS365 does more than just OneDrive. It enables Evolution to make use of the full mail, calendar, contacts stuff and this just requires a recent Evolution. That’s the reason why it does request all those scopes.
If your environment allows only restricted permissions, then I’d guess 'gnome-online-accounts' should automatically detect that and only show those allowed options. (e.g. Only 'Files' row in the image below for your use case.)
No, it does not. When a user tries to configure a 365 account, GOA requests the full set of permissions mentioned above, which ends up with a nice error message “Need admin approval”. Temporarily assigning them will allow the process to continue, I can then select “Files” (the only option I see in our environment) and after that, integration works even after all additional permissions get revoked
Created 5 and 4 years ago, both related to google; although relevant, both of them were closed with no usable information except a negative one from Debarshi Ray
I am trying to organize another meeting with our Entra ID team to check our options, but linked posts confirm the same behavior we are experiencing