CoreView relies on Graph for executing management actions. From the Graph management panel, you can authorize the use of the Microsoft Graph module. By doing this, you will grant some permissions that allow CoreView to execute certain actions.
However, the default permissions assigned to the Graph application registered within CoreView may not be sufficient to execute some actions. For security reasons, CoreView does not assign roles on your behalf. Therefore, based on your operational scenario, you might need to assign additional roles to the Graph Management app.
In particular, if the roles are not assigned, the following operations may not work:
- The “Manage password” management action, which allows you to change the password for both admin and non-admin users
- Management of certain sensitive user data, such as the business phone number, mobile phone number, and other email addresses properties, will not be possible
- Password rotation for service accounts cannot be performed
To better follow this article, we recommend reading “Working with users in Microsoft Graph” and the “Update user” articles from Microsoft documentation.
If you need instructions on how to assign roles to the CoreView Graph application, follow the tutorial in our documentation: How to assign roles to an application in Entra Admin Center.
“Manage password” management action
To enable the “Manage password” management action, you need to assign one or more roles to the Graph application. This action allows password resets for both non-admin users and users with admin roles.
Depending on your needs, you can assign:
-
User Administrator: allows you to change passwords for non-admin users only. -
Privileged Authentication Administrator: allows you to manage passwords for both admin and non-admin users.
Manage passwords of non-admin users only
User Administrator This role does not allow for the modification of password profiles of users with admin roles. Assign this role if you intend to change passwords for non-admin user only.
Manage passwords of admin and non-admin users
Privileged Authentication AdministratorWith this role, you can also change the passwords of users with admin roles. Assign this role if you need to change passwords for both admin and non-admin users.
Sensitive user data
Assigning the roles:
-
User Administrator - and
Privileged Authentication Administrator
is required to use actions that modify certain sensitive user data properties. These actions modify user properties, such as updating:
- the business phone number (
businessPhones) - the mobile phone number (
mobilePhone) - or other email addresses for the user (
otherMails)
Password rotation for service accounts
Assigning the roles:
-
User Administrator - and
Privileged Authentication Administrator
is required for the password rotation of the Advanced Management User (4ward365.admin@domain) and the Service Accounts (coreview.reports1@domain).
Useful resources from Microsoft documentation
It’s possible that Microsoft may change a property or the required role needed to manage it. For this reason, we recommend consulting the documentation to stay up to date. In particular, we highlight the following articles from Microsoft documentation:
In the Update user article, Microsoft documentation itself states that:
In app-only scenarios, in addition to Microsoft Graph permissions, the app must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions.
The following properties cannot be updated by an app with only application permissions: aboutMe , birthday , employeeHireDate , interests , mySite , pastProjects , responsibilities , schools , and skills .'
In the article Working with users in Microsoft Graph, Microsoft documentation also specifies in the article which actions against the user object are considered sensitive and who can perform sensitive actions. You can refer to these last two tables to know which roles to assign to the Graph application in CoreView to perform the desired actions.