Reading more into this to clarify my understanding I found this Microsoft doc on admin consents. But the thing that bugged me was 1) my understanding was that the Url asking for admin consent is supposed to also give a list of the permissions it needs and 2) if I try and add the Fantastical app beforehand to my Azure AD tenant so I can explicitly consent to the permissions as delegated permissions I can’t find the app at all (neither by name nor by its client id) – what was going on? Sure, if you have experience doing a bunch of these you get the idea… or you could consent and then go to the Enterprise Applications section of Azure AD and see what the heck you have consented for in the Permissions section. In the application permissions version it says “all mailboxes” so I know that’s what it is asking for, but the requested permissions in the delegated permissions variant aren’t very explicit that it’s for the signed in user only. The problem is the wording is kind of subtle. Suppose Fantastical were to ask for application permissions here’s an example of how its screen would look (this is a custom app I created it doesn’t ask for all the permissions Fantastical asked for which is why the list looks smaller, but you get an idea of the eqvuivalent permissions based on the wording): The app doesn’t need anyone to login to it, it has whatever permissions you define available for itself. Here you are giving the app itself permissions. The effective permissions thus is what both you the person logging into the app, and what the app itself has been granted.Īs an aside the other type of permissions is application permissions. Conversely, if the user logging in to it is a super admin and can view everyone’s emails for instance, the Fantastical app wouldn’t be able to do so even as the logged in user as it has only rights to calendars and not emails. What you are doing above is defining the boundary of the app itself, but what it can really do comes down to what the user logging in to it can do. So if your account can’t read anyone else’s mailboxes or see their basic info then the Fantastical app too wouldn’t be able to do it. Which means you are giving the app permissions to do all, but in reality it can’t do anything unless you the person logging in as this app has permissions to do the same. It’s difficult to gauge from the wording but these are actually delegated permissions. It needs access to your calendar, be able to access other mailboxes as you, read-write to your calendar etc. The permissions required are standard stuff you’d expect from a calendar app. Put this in a browser and you get a pop-up like the following: I broke the Url with line-breaks above for better legibility. Their website has a helpful Url you can provide your admins so they can consent: When I tried adding my work calendar in Fantastical it wanted the admin consent as you’d expect. But if I am getting serious it’s time to start using Fantastical on macOS too, which means signing up for a subscription, which in turn means I might as well add my work calendar too to it so I have a unified view in Fantastical (and also hook up Todoist so now I have Fantastical as my one source for work & personal calendar and task manager – sweet!)Īnyways, all this is incidental. I have my work calendar (M365) which has the work related stuff, I have my personal calendar (FastMail) which has other stuff… and typically I manage the personal calendar via Fantastical in iOS or the Calendar app in macOS or just FastMail’s not-so-bad web UI for calendars. But off late I have been getting older and wiser □ and now I put my events and things to do in a calendar + task manager (Todoist). The make the excellent Fantastical calendar app for iOS and until recently I didn’t bother signing up for a subscription as I only use a calendar occassionally, and iOS only was fine, so why bother paying. So I signed up for a Flexibits subscription today. This one’s going to be all over the place.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |