Learn about the Graph API permissions required for the Azure AD user directory integration.
The Azure Integration in Kandji allows customers to sync all Azure AD user and group objects into the user directory within Kandji, allowing administrators to assign devices to Azure AD users within Kandji. These delegated permissions are leveraged through the Microsoft Graph API to synchronize user directory information.
The following permissions are automatically requested and required to sync Azure AD users and groups into Kandji successfully. An Azure Administrator needs to have sufficient permissions to delegate the following permissions to Kandji.
|Group.Read.All||Read all groups||Allows the Kandji to list groups, and to read their properties and all group memberships on behalf of the signed-in user.|
Read all users' full profiles
Synchronize all AD Users
Sign in and read user profile
Store integrating AD administrator's information
Maintain access to data you have given it access to
Allows long-term syncing
Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information.
Leveraged for legacy OpenID login for Azure AD users into Kandji.
(This is now handled by a new independent Azure AD application record)