Required Application Consent


# Required Application Consent

The TALXIS ecosystem consists of various SaaS (System as a Service) products. Most of the products require communication with other TALXIS and Microsoft services. Every data flow between these must be strongly secured. Since TALXIS is primarily built on top of Microsoft technology stack, Microsoft Entra ID (opens new window) was chosen as an identity platform. Microsoft Entra ID implements OpenID Connect (OIDC) and OAuth 2.0 (opens new window) protocols to satisfy this requirement for strong security. If you wish to use the TALXIS products, you will need to consent the client applications so that your organization's Microsoft Entra ID trusts (opens new window) them and issues valid security tokens to them.

A typical user grant flow (authorization code (opens new window) / implicit (opens new window)) consists of the application requesting an other service, and because there is no valid token for the service, user is prompted through a pop-up window, where he should log-in to the requested service. To streamline the token management, TALXIS products are mainly using OBO (On-Behalf-Of) grant flow. Thanks to this approach, a true SSO (single sign-on) is possible and the amount of additional pop-ups is limited to its minimum.

The application registrations bellow were separated by the product or service and often by the client they are consumed from as well. This enables TALXIS to support the OBO grant flow while enabling your organization's admins to limit the permissions they grant. It is not recommended to approve all of them. If you are not sure which ones apply to you, contact NETWORG (opens new window) to provide you with a specific list matching your setup.

# Terminology

All the application registrations will be referencing some terms you should be familiar with before proceeding.

Term Explanation
API Name The name of the service or API the application registration wants the permissions for.
Claim Sometimes referred to as scope, this is the logical name of the permission.
Permission Description of the permission.
Type Either a Delegated permission (opens new window) or an Application permission (opens new window). They differ in access context. Delegated permission => the application will never be able to access anything the signed in user themselves couldn't access. Application permission => the application will be able to access any data that the permission is associated with.

# Power Platform Deployments

TALXIS deployments to the downstream Power Platform Dataverse environments are fully automated to save resources and prevent any errors. If your organization's Dataverse environment is to be deployed by TALXIS, make sure to consent the following application.

Name Consent Link
TALXIS Deployments 🔗 (opens new window)

# TALXIS Deployments

Application can read & write only to environments where permissions have been explicitly granted to the service principal (opens new window). The principal is non-interactive.

API Name Claim Permission Type Business Justification
Windows Azure Active Directory User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the deployment.
Dataverse user_impersonation Access Common Data Service as organization users Delegated The application must be able to impersonate the non-interactive user used for the deployment when accessing Dataverse.

If you need to setup the Dataverse environment as well, maybe take a look here first.

# TALXIS Portal

If you have selected TALXIS Portal as your hosting option, these are the application registrations requiring consent.

Name Consent Link
TALXIS Portals 🔗 (opens new window)
TALXIS Metadata Service 🔗 (opens new window)

# TALXIS Portals

Application is used to access data inside Dataverse environment. It can read & write only to environments where permissions have been explicitly granted to the service principal (opens new window). The principal is non-interactive.

API Name Claim Permission Type Business Justification
Dataverse user_impersonation Access Common Data Service as organization users Delegated The application must be able to impersonate the non-interactive user used for accessing data to be presented in the Portal.
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the data access.

# TALXIS Metadata Service

Application is used to access metadata of the application inside Dataverse environment. It can read only to environments where permissions have been explicitly granted to the service principal (opens new window). The principal is non-interactive.

API Name Claim Permission Type Business Justification
Dataverse user_impersonation Access Common Data Service as organization users Delegated The application must be able to impersonate the non-interactive user used for accessing metadata to render the application in the Portal.
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the metadata access.

# Power Automate

These are the application registrations through which TALXIS Power Automate Connectors obtain the token and user identity with it.

Name Consent Link
Signi.com - Power Automate 🔗 (opens new window)
TALXIS - Connectors - MsGraph 🔗 (opens new window)
TALXIS - Data Feed - Flow 🔗 (opens new window)
TALXIS - Documents - Flow 🔗 (opens new window)
TALXIS - Email Connector - Flow 🔗 (opens new window)
TALXIS - STS - Flow 🔗 (opens new window)
TALXIS - Surveys - Flow 🔗 (opens new window)

# Signi.com - Power Automate

Application registration for Signi Power Automate connector. This connector is developed and maintained by TALXIS. The connector supports multiple e-signature scenarios.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
Signi.com * API.AccessAsUser.All Access TALXIS Signi proxy as Current User Delegated Required so that the Power Automate connector can communicate with the TALXIS Signi proxy.

*: Requires consent of Signi.com.

# TALXIS - Connectors - MsGraph

Application registration for TALXIS custom connector for Microsoft Graph. This connector allows to call some actions, that the native connector does not have support for.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
Microsoft Graph User.ReadWrite.All Read and write all users' full profiles Delegated The connector can manipulate with user objects and it needs this permission to do so. It is only a delegated permission.

# TALXIS - Data Feed - Flow

Application registration for TALXIS Data Feed Power Automate connector. This connector exposes range of public data. For example: getting public holidays for a given state, getting organization data from business register, geocoding addresses, etc.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS Data Feed * API.AccessAsUser.All Access TALXIS Data Feed as Current User Delegated Required so that the Power Automate connector can communicate with the TALXIS Data Feed API.

*: Requires consent of TALXIS Data Feed.

# TALXIS - Documents - Flow

Application registration for TALXIS Documents Power Automate connector. This connector can be used for generating Word, Excel and Power Point documents from templates.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS - Documents * user_impersonation Access TALXIS Documents API as Current User Delegated Required so that the Power Automate connector can communicate with the TALXIS Documents API.

*: Requires consent of TALXIS - Documents.

# TALXIS - Email Connector - Flow

Application registration for TALXIS Email Power Automate connector. This connector can send emails from custom domains.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS - Email Connector * API.AccessAsUser.All Access TALXIS Email Connector API as Current User Delegated Required so that the Power Automate connector can communicate with the TALXIS Email Connector API.

*: Requires consent of TALXIS - Email Connector.

# TALXIS - STS - Flow

Application registration for TALXIS Security Token Service Power Automate connector. This connector can generate security tokens for magic links and password-less or one-time sign in scenarios.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS - STS * access_as_user Access as user Delegated Required so that the Power Automate connector can communicate with the TALXIS STS API.

*: Requires consent of TALXIS - STS.

# TALXIS - Surveys - Flow

Application registration for TALXIS Surveys Power Automate connector. This connector can create and update session. It can also wait for the survey response before continuing.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS - Surveys - API * user_impersonation User Impersonation Delegated Required so that the Power Automate connector can communicate with the TALXIS Surveys API.

*: Requires consent of TALXIS - Surveys - API.

# Power Apps Component Framework

PCF (opens new window) controls make it possible to deliver custom user experiences to your Power Apps applications - both Canvas and Model-driven. Although the PCF provides a context through which the control can interact with the host (getting latest data, saving data, etc.), there is no API for getting the user token due to security implications. If the control wants to interact with a different service, it needs to get the token on its own. That is why these application registrations exist.

Name Consent Link
TALXIS - PCF.AddressPicker 🔗 (opens new window)
TALXIS - PCF.BizMachineProspector 🔗 (opens new window)
TALXIS - PCF.Calendar 🔗 (opens new window)
TALXIS - PCF.CompanyProfileHinting 🔗 (opens new window)
TALXIS - PCF.Documents 🔗 (opens new window)
TALXIS - PCF.FilePicker 🔗 (opens new window)
TALXIS - PCF.FilePicker - Group Creation 🔗 (opens new window)
TALXIS - PCF.FilePicker - Advanced Permissions 🔗 (opens new window)
TALXIS - PCF.InvoiceRecognition 🔗 (opens new window)
TALXIS - PCF.MapPicker 🔗 (opens new window)
TALXIS - PCF.PeopleGrid 🔗 (opens new window)
TALXIS - PCF.ResourceScheduler 🔗 (opens new window)

# TALXIS - PCF.AddressPicker

Application registration for TALXIS Address Picker PCF. This control can suggest existing address based on the user input.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS Data Feed * API.AccessAsUser.All Access TALXIS Data Feed as Current User Delegated Required so that the control can communicate with the TALXIS Data Feed API.

*: Requires consent of TALXIS Data Feed.

# TALXIS - PCF.Calendar

Application registration for TALXIS Calendar PCF. This control allows user to fully edit his Outlook calendar directly from any Power Apps application.

API Name Claim Permission Type Business Justification
Microsoft Graph Calendars.ReadWrite Have full access to user calendars Delegated The application must have access to users' calendars in order to show or change users' events.
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
Microsoft Graph User.Read.All Read all users' full profiles Delegated

# TALXIS - PCF.CompanyProfileHinting

Application registration for TALXIS Company Profile Hinting PCF.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS Data Feed * API.AccessAsUser.All Access Data Feed as Current User Delegated Required so that the control can communicate with the TALXIS Data Feed API.

*: Requires consent of TALXIS Data Feed.

# TALXIS - PCF.Documents

Application registration for TALXIS Document Viewer PCF.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS - Documents * user_impersonation User Impersonation Delegated

*: Requires consent of TALXIS - Documents.

# TALXIS - PCF.FilePicker

Application registration for TALXIS File Picker PCF.

API Name Claim Permission Type Business Justification
Microsoft Graph Files.ReadWrite Have full access to user files Delegated The application must be aware of all the files the user has access to.
Microsoft Graph Files.ReadWrite.All Have full access to all files user can access Delegated The application must be aware of all the files in the SPO or Environment File System.
Microsoft Graph Group.Read.All Read all groups Delegated
Microsoft Graph Sites.Read.All Read items in all site collections Delegated
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.

# TALXIS - PCF.FilePicker - Group Creation

TBD

API Name Claim Permission Type Business Justification
Microsoft Graph Group.ReadWrite.All Read and write all groups Delegated The application must be aware of all the groups to work with groups.
Microsoft Graph GroupMember.ReadWrite.All Read and write group memberships Delegated The application must be aware of all the group mebmers in order to work with group members.
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of all the group members to work with group members.

# TALXIS - PCF.FilePicker - Advanced Permissions

TBD

API Name Claim Permission Type Business Justification
Microsoft Graph People.Read Read users' relevant people lists Delegated
Microsoft Graph Sites.Manage.All Create, edit, and delete items and lists in all site collections Delegated
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of all the group members to work with group members.

# TALXIS - PCF.InvoiceRecognition

Application registration for TALXIS Invoice Recognition PCF.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS Data Feed * API.AccessAsUser.All Access Data Feed as Current User Delegated Required so that the Power Automate connector can communicate with the TALXIS Data Feed API.

*: Requires consent of TALXIS Data Feed.

# TALXIS - PCF.MapPicker

Application registration for TALXIS Map Picker PCF.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS Data Feed * API.AccessAsUser.All Access Data Feed as Current User Delegated Required so that the Power Automate connector can communicate with the TALXIS Data Feed API.

*: Requires consent of TALXIS Data Feed.

# TALXIS - PCF.PeopleGrid

Application registration for TALXIS People Grid PCF.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
TALXIS Data Feed * API.AccessAsUser.All Access Data Feed as Current User Delegated Required so that the Power Automate connector can communicate with the TALXIS Data Feed API.

*: Requires consent of TALXIS Data Feed.

# TALXIS - PCF.ResourceScheduler

Application registration for TALXIS Resource Scheduler PCF.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the actions.
Microsoft Graph User.ReadBasic.All Read all users' basic profiles Delegated The application must be aware of other users' identities to work with them.

# Other

Miscellaneous TALXIS application registrations. Some of these are probably being called from the PCFs or cloud flows.

Name Consent Link
TALXIS - Client 🔗 (opens new window)
TALXIS - Flow Monitor 🔗 (opens new window)
Signi.com 🔗 (opens new window)
TALXIS - Redirect Service 🔗 (opens new window)
TALXIS - STS 🔗 (opens new window)
TALXIS - Surveys - API 🔗 (opens new window)
TALXIS Data Feed 🔗 (opens new window)
TALXIS - Documents 🔗 (opens new window)
TALXIS - Email Connector 🔗 (opens new window)

# TALXIS - Client

TBD

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the metadata access.

# TALXIS - Flow Monitor

Application is used to access data inside Power Automate. Collect and manage theese to data to inform about issues on specific flows and flow runs.

API Name Claim Permission Type Business Justification
Power Automate user_impersonation Access Common Data Service as organization users Delegated
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the metadata access.
Microsoft Graph User.Read.All Read all users' full profiles Application
Power Automate Flows.Manage.All Allow the application to manage flows Delegated The application must be able to read all manage flows in order to monitor the flow runs-
Power Automate User Access Microsoft Flow as signed in user Delegated The application must be able to impersonate the non-interactive user used for the specific connections when accessing Power Automate.
PowerApps Service User Access the PowerApps Service API Delegated

# Signi.com

Application is used to send and electronically sign documents sent via email.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the metadata access.
Microsoft Graph GroupMember.Read.All Read group memberships Delegated The application must be able to impersonate the non-interactive user used for accessing metadata to use application data in the documents.

# TALXIS - Redirect Service

TBD

API Name Claim Permission Type Business Justification
Dataverse user_impersonation Access Common Data Service as organization users Delegated
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the data access.

# TALXIS - STS

TBD

API Name Claim Permission Type Business Justification
Dataverse user_impersonation Access Common Data Service as organization users Delegated
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the data access.

# TALXIS - Surveys - API

Application is used to create and send survey with data from Dataverse.

API Name Claim Permission Type Business Justification
Dataverse user_impersonation Access Common Data Service as organization users Delegated The application must be able to impersonate the non-interactive user used for accessing metadata to show application data in the survey.
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the data access.

# TALXIS Data Feed

Application registration for TALXIS Data Feed used in PCF controls.

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the data access.

# TALXIS - Documents

TBD

API Name Claim Permission Type Business Justification
Dataverse user_impersonation Access Common Data Service as organization users Delegated
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the data access.

# TALXIS - Email Connector

TBD

API Name Claim Permission Type Business Justification
Microsoft Graph User.Read Sign in and read user profile Delegated The application must be aware of the identity used in the context of the data access.