Application permissions control the data that the application will be able to access without a logged-in user being present.
Perform the following steps to configure application permissions.
- Click API permissions from the App registration menu on the left.
- Click + Add permission.
- Select Microsoft Graph > Application permissions and add one or more of the following permissions, depending on the feature that you intend to configure.
| WPO365 Feature | Required application-level permission |
|---|---|
| User synchronization | User.Read.All |
| Roles + Access * | User.Read.All GroupMember.Read.All |
| Audiences * | User.Read.All GroupMember.Read.All |
| Avatar * | User.Read.All |
| Custom User Fields * | User.Read.All |
| M365 APPS | Documents Gutenberg Blocks | Documents For “anonymous” users | Sites.Selected Sites.Read.All optionally |
| M365 APPS | Employee Directory For “anonymous” users | User.Read.All |
| Client secret expiration check | Application.Read.All |
* Please note For some scenarios it would be sufficient to add the delegated permission instead when the following criteria are met:
- Users must sign in with Microsoft using the OpenID Connect protocol (instead of SAML 2.0).
- The use of app-only tokens on the plugin’s Integration configuration page has not been enabled.
- WPO365 User synchronization is not used.
If those criteria are met, then it is sufficient for a user to have delegated GroupMember.Read.All and delegated User.Read.All permissions.
- Click Add permissions.
- Click to grant consent for all users in your tenant to use this App registration and its ability to provide ID tokens (and Access Tokens).
If the Grand admin consent for … is greyed out then you do not have sufficient permissions to continue. Since this is mandatory you must contact your Global Administrator and ask for help.