Microsoft Graph Permissions Required by a "Microsoft 365" Account

Hello people of GNOME,

We would like to enable OneDrive access for our domain-joined Ubuntu 24.04 user-base.
Integration using gnome-online-accounts using a “Microsoft 365” acc type and Nautilus works wo issues in our test env, but we got some push-back from our Entra ID folks regarding the default permission model.

MS Graph permissions required by a “Microsoft 365” account:

  • files.readwrite
  • files.readwrite.all
  • offline_access
  • sites.read.all
  • sites.readwrite.all
  • user.read
  • mail.readwrite
  • contacts.readwrite

For OneDrive access, we only need

  • files.readwrite
  • files.readwrite.all
  • offline_access
  • user.read

Culprit in our case are the sharepoint and exchange online perms(well, mostly sharepoint, we need mail perms anyway)

My questions to you:

  • Sharepoint permissions should be user-scoped so should not really present a problem but we did not hear from our SP gurus yet…
  • If the above is not the case, can we define a dedicated 365 OneDrive account type/service with only a limited set of permissions(any pointers welcome)

Similar question was also asked here

Thank you in advance
idnc_sk

Actually MS365 does more than just OneDrive. It enables Evolution to make use of the full mail, calendar, contacts stuff and this just requires a recent Evolution. That’s the reason why it does request all those scopes.

Thats clear, question is how to enable OneDrive integration in an environment where the rest is not allowed/approved

Hello, sorry for the delay, shall I open a gitlab issue instead?

What exact issue are you facing?

If your environment allows only restricted permissions, then I’d guess 'gnome-online-accounts' should automatically detect that and only show those allowed options. (e.g. Only 'Files' row in the image below for your use case.)

Or does your environment totally declines access to GNOME in this case?

No, it does not. When a user tries to configure a 365 account, GOA requests the full set of permissions mentioned above, which ends up with a nice error message “Need admin approval”. Temporarily assigning them will allow the process to continue, I can then select “Files” (the only option I see in our environment) and after that, integration works even after all additional permissions get revoked

Appears this was already discussed in the following issues.

Created 5 and 4 years ago, both related to google; although relevant, both of them were closed with no usable information except a negative one from Debarshi Ray
I am trying to organize another meeting with our Entra ID team to check our options, but linked posts confirm the same behavior we are experiencing

BR

I guess you can open a new issue with the relevant details.

Issue created, thx

1 Like