Consent management

  • Last update on September 27th, 2024

The consent page lists the applications that have been granted permissions for the CoreView application.

It also indicates those applications that have not yet been given permission but could be beneficial for using the platform. For these apps, the command to grant permissions is also shown.


Check granted consents

To check if you have provided consent for each application:

  • If the “Consent needed” column displays “Permission required”, it indicates that CoreView does not have the necessary consent to manage that application. In this case, you should grant the consent by following the guide below.
  • If “Consent needed” displays “Granted”, CoreView has the consent needed to manage that application.

When you first open CoreView, you will probably see the following consents granted:

CoreView API Integration

This consent is granted during the onboarding. It refers to the Integration App.

 
 

CoreView Graph Management

This consent is granted from the Graph Management view.

 
 

Extra-consents

For CoreView to work properly with applications like Endpoint, BitLocker, and SharePoint, it's crucial to grant the required permissions to the CoreView application on the Microsoft side.

List of extra consents and permissions to grant

Endpoint

If Endpoint manager permissions are not granted to the CoreView app on the Microsoft side, CoreView cannot perform actions using the Endpoint manager module. This set of permissions is required because Endpoint manager actions do not use PowerShell cmdlets; instead, they utilize Graph APIs, which require a different set of permissions.

Permissions list

CoreView Management Integration requires the following Entra ID application permissions:

  • [Microsoft Graph] Device management managed devices privileged operations all: perform user-impacting remote actions on Microsoft Intune devices
  • [Microsoft Graph] Device management managed devices read write all: read and write Microsoft Intune devices
  • [Microsoft Graph] Device management service config read write all: read and write Microsoft Intune devices

Please note that on the consent authorization screen, the wording will be “CoreView Management Integration” and not “Endpoint”.

 
 
 

SharePoint

To enable SharePoint management actions through CoreView and activate the import process, it is essential to grant additional consent.

Permissions list

CoreView SharePoint Integration requires the following Entra ID application permissions:

  • [Azure Active Directory Graph] User read: enable sign-on and read users' profiles
  • [Microsoft Graph] Directory read all: read directory data
  • [Microsoft Graph] Group read write all: read and write all groups
  • [SharePoint] Sites full control all: have full control of all site collections
 
 

BitLocker

To ensure that data is displayed in the BitLocker keys report and to be able to view and manage BitLocker keys, it is essential to grant additional consent. This allows for the retrieval of data for the BitLocker keys report.

Permissions list

CoreView BitLocker API requires the following Entra ID application permissions:

  • [Microsoft Graph] BitLockerKey read all: read BitLocker keys
  • [Microsoft Graph] User read: sign in and read user profile
 
 

Teams

You need to provide additional consent to import Teams Voice data (calls, PSNT usage) into CoreView. Please refer to the documentation about Teams Voice.

Exchange

Provide consent for the use of multiple Exchange applications to overcome Microsoft's Exchange Service throttling limit.

Permissions list

CoreView Exchange Integration requires the following Entra ID application permissions:

  • [PowerShell Exchange Online Module] Access mailboxes as the signed-in user via Exchange Web Services: Allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services.
  • [PowerShell Exchange Online Module] Manage Exchange configuration: allows the app to manage the organization's Exchange environment, such as mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles to the app user.
  • [PowerShell Exchange Online Module] Manage Exchange As Application: allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app.
  • [PowerShell Exchange Online Module] Sign in and read user profile: allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
     
 
 

To provide consent to different applications:

  1. Navigate to the “SETTINGS” > “My organization” > “Consent management” section.
  2. On this page, click on the icon located in the “Consent URL” column that corresponds to the app for which you want to grant consent. As you click, the URL will be automatically copied to your clipboard.
  3. Open a private browser session while using a Microsoft 365 account that has Global Admin permissions.
  4. Paste the copied URL into the address bar of the browser and press enter.