Required Application Consent
# Required Application Consent
# Why is it required to consent the applications?
The TALXIS ecosystem consists of various SaaS (System as a Service) products. Most of the products require communication with other TALXIS and Microsoft services. Every data flow between these must be strongly secured. Since TALXIS is primarily built on top of Microsoft technology stack, Microsoft Entra ID (opens new window) was chosen as an identity platform. Microsoft Entra ID implements OpenID Connect (OIDC) and OAuth 2.0 (opens new window) protocols to satisfy this requirement for strong security. If you wish to use the TALXIS products, you will need to consent the client applications so that your organization's Microsoft Entra ID trusts (opens new window) them and issues valid security tokens to them.
A typical user grant flow (authorization code (opens new window) / implicit (opens new window)) consists of the application requesting an other service, and because there is no valid token for the service, user is prompted through a pop-up window, where he should log-in to the requested service. To streamline the token management, TALXIS products are mainly using OBO (On-Behalf-Of) grant flow. Thanks to this approach, a true SSO (single sign-on) is possible and the amount of additional pop-ups is limited to its minimum.
The application registrations bellow were separated by the product or service and often by the client they are consumed from as well. This enables TALXIS to support the OBO grant flow while enabling your organization's admins to limit the permissions they grant. It is not recommended to approve all of them. If you are not sure which ones apply to you, contact NETWORG (opens new window) to provide you with a specific list matching your setup.
# Terminology
All the application registrations will be referencing some terms you should be familiar with before proceeding.
Term | Explanation |
---|---|
API Name | The name of the service or API the application registration wants the permissions for. |
Claim | Sometimes referred to as scope, this is the logical name of the permission. |
Permission | Description of the permission. |
Type | Either a Delegated permission (opens new window) or an Application permission (opens new window). They differ in access context. Delegated permission => the application will never be able to access anything the signed in user themselves couldn't access. Application permission => the application will be able to access any data that the permission is associated with. |
# Power Platform Deployments
TALXIS deployments to the downstream Power Platform Dataverse environments are fully automated to save resources and prevent any errors. If your organization's Dataverse environment is to be deployed by TALXIS, make sure to consent the following application.
Name | Consent Link |
---|---|
TALXIS Deployments | 🔗 (opens new window) |
# TALXIS Deployments
Application can read & write only to environments where permissions have been explicitly granted to the service principal (opens new window). The principal is non-interactive.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Windows Azure Active Directory | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the deployment. |
Dataverse | user_impersonation | Access Common Data Service as organization users | Delegated | The application must be able to impersonate the non-interactive user used for the deployment when accessing Dataverse. |
If you need to setup the Dataverse environment as well, maybe take a look here first.
# TALXIS Portal
If you have selected TALXIS Portal as your hosting option, these are the application registrations requiring consent.
Name | Consent Link |
---|---|
TALXIS Portals | 🔗 (opens new window) |
TALXIS Metadata Service | 🔗 (opens new window) |
# TALXIS Portals
Application is used to access data inside Dataverse environment. It can read & write only to environments where permissions have been explicitly granted to the service principal (opens new window). The principal is non-interactive.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Dataverse | user_impersonation | Access Common Data Service as organization users | Delegated | The application must be able to impersonate the non-interactive user used for accessing data to be presented in the Portal. |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the data access. |
# TALXIS Metadata Service
Application is used to access metadata of the application inside Dataverse environment. It can read only to environments where permissions have been explicitly granted to the service principal (opens new window). The principal is non-interactive.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Dataverse | user_impersonation | Access Common Data Service as organization users | Delegated | The application must be able to impersonate the non-interactive user used for accessing metadata to render the application in the Portal. |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the metadata access. |
# Power Automate
These are the application registrations through which TALXIS Power Automate Connectors obtain the token and user identity with it.
# Signi.com - Power Automate
Application registration for Signi Power Automate connector. This connector is developed and maintained by TALXIS. The connector supports multiple e-signature scenarios.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
Signi.com * | API.AccessAsUser.All | Access TALXIS Signi proxy as Current User | Delegated | Required so that the Power Automate connector can communicate with the TALXIS Signi proxy. |
*: Requires consent of Signi.com.
# TALXIS - Connectors - MsGraph
Application registration for TALXIS custom connector for Microsoft Graph. This connector allows to call some actions, that the native connector does not have support for.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
Microsoft Graph | User.ReadWrite.All | Read and write all users' full profiles | Delegated | The connector can manipulate with user objects and it needs this permission to do so. It is only a delegated permission. |
# TALXIS - Data Feed - Flow
Application registration for TALXIS Data Feed Power Automate connector. This connector exposes range of public data. For example: getting public holidays for a given state, getting organization data from business register, geocoding addresses, etc.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS Data Feed * | API.AccessAsUser.All | Access TALXIS Data Feed as Current User | Delegated | Required so that the Power Automate connector can communicate with the TALXIS Data Feed API. |
*: Requires consent of TALXIS Data Feed.
# TALXIS - Documents - Flow
Application registration for TALXIS Documents Power Automate connector. This connector can be used for generating Word, Excel and Power Point documents from templates.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS - Documents * | user_impersonation | Access TALXIS Documents API as Current User | Delegated | Required so that the Power Automate connector can communicate with the TALXIS Documents API. |
*: Requires consent of TALXIS - Documents.
# TALXIS - Email Connector - Flow
Application registration for TALXIS Email Power Automate connector. This connector can send emails from custom domains.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS - Email Connector * | API.AccessAsUser.All | Access TALXIS Email Connector API as Current User | Delegated | Required so that the Power Automate connector can communicate with the TALXIS Email Connector API. |
*: Requires consent of TALXIS - Email Connector.
# TALXIS - STS - Flow
Application registration for TALXIS Security Token Service Power Automate connector. This connector can generate security tokens for magic links and password-less or one-time sign in scenarios.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS - STS * | access_as_user | Access as user | Delegated | Required so that the Power Automate connector can communicate with the TALXIS STS API. |
*: Requires consent of TALXIS - STS.
# TALXIS - Surveys - Flow
Application registration for TALXIS Surveys Power Automate connector. This connector can create and update session. It can also wait for the survey response before continuing.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS - Surveys - API * | user_impersonation | User Impersonation | Delegated | Required so that the Power Automate connector can communicate with the TALXIS Surveys API. |
*: Requires consent of TALXIS - Surveys - API.
# Power Apps Component Framework
PCF (opens new window) controls make it possible to deliver custom user experiences to your Power Apps applications - both Canvas and Model-driven. Although the PCF provides a context through which the control can interact with the host (getting latest data, saving data, etc.), there is no API for getting the user token due to security implications. If the control wants to interact with a different service, it needs to get the token on its own. That is why these application registrations exist.
# TALXIS - PCF.AddressPicker
Application registration for TALXIS Address Picker PCF. This control can suggest existing address based on the user input.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS Data Feed * | API.AccessAsUser.All | Access TALXIS Data Feed as Current User | Delegated | Required so that the control can communicate with the TALXIS Data Feed API. |
*: Requires consent of TALXIS Data Feed.
# TALXIS - PCF.Calendar
Application registration for TALXIS Calendar PCF. This control allows user to fully edit his Outlook calendar directly from any Power Apps application.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | Calendars.ReadWrite | Have full access to user calendars | Delegated | The application must have access to users' calendars in order to show or change users' events. |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
Microsoft Graph | User.Read.All | Read all users' full profiles | Delegated |
# TALXIS - PCF.CompanyProfileHinting
Application registration for TALXIS Company Profile Hinting PCF.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS Data Feed * | API.AccessAsUser.All | Access Data Feed as Current User | Delegated | Required so that the control can communicate with the TALXIS Data Feed API. |
*: Requires consent of TALXIS Data Feed.
# TALXIS - PCF.Documents
Application registration for TALXIS Document Viewer PCF.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS - Documents * | user_impersonation | User Impersonation | Delegated |
*: Requires consent of TALXIS - Documents.
# TALXIS - PCF.FilePicker
Application registration for TALXIS File Picker PCF.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | Files.ReadWrite | Have full access to user files | Delegated | The application must be aware of all the files the user has access to. |
Microsoft Graph | Files.ReadWrite.All | Have full access to all files user can access | Delegated | The application must be aware of all the files in the SPO or Environment File System. |
Microsoft Graph | Group.Read.All | Read all groups | Delegated | |
Microsoft Graph | Sites.Read.All | Read items in all site collections | Delegated | |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
# TALXIS - PCF.FilePicker - Group Creation
TBD
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | Group.ReadWrite.All | Read and write all groups | Delegated | The application must be aware of all the groups to work with groups. |
Microsoft Graph | GroupMember.ReadWrite.All | Read and write group memberships | Delegated | The application must be aware of all the group mebmers in order to work with group members. |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of all the group members to work with group members. |
# TALXIS - PCF.FilePicker - Advanced Permissions
TBD
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | People.Read | Read users' relevant people lists | Delegated | |
Microsoft Graph | Sites.Manage.All | Create, edit, and delete items and lists in all site collections | Delegated | |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of all the group members to work with group members. |
# TALXIS - PCF.InvoiceRecognition
Application registration for TALXIS Invoice Recognition PCF.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS Data Feed * | API.AccessAsUser.All | Access Data Feed as Current User | Delegated | Required so that the Power Automate connector can communicate with the TALXIS Data Feed API. |
*: Requires consent of TALXIS Data Feed.
# TALXIS - PCF.MapPicker
Application registration for TALXIS Map Picker PCF.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS Data Feed * | API.AccessAsUser.All | Access Data Feed as Current User | Delegated | Required so that the Power Automate connector can communicate with the TALXIS Data Feed API. |
*: Requires consent of TALXIS Data Feed.
# TALXIS - PCF.PeopleGrid
Application registration for TALXIS People Grid PCF.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
TALXIS Data Feed * | API.AccessAsUser.All | Access Data Feed as Current User | Delegated | Required so that the Power Automate connector can communicate with the TALXIS Data Feed API. |
*: Requires consent of TALXIS Data Feed.
# TALXIS - PCF.ResourceScheduler
Application registration for TALXIS Resource Scheduler PCF.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the actions. |
Microsoft Graph | User.ReadBasic.All | Read all users' basic profiles | Delegated | The application must be aware of other users' identities to work with them. |
# Other
Miscellaneous TALXIS application registrations. Some of these are probably being called from the PCFs or cloud flows.
# TALXIS - Client
TBD
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the metadata access. |
# TALXIS - Flow Monitor
Application is used to access data inside Power Automate. Collect and manage theese to data to inform about issues on specific flows and flow runs.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Power Automate | user_impersonation | Access Common Data Service as organization users | Delegated | |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the metadata access. |
Microsoft Graph | User.Read.All | Read all users' full profiles | Application | |
Power Automate | Flows.Manage.All | Allow the application to manage flows | Delegated | The application must be able to read all manage flows in order to monitor the flow runs- |
Power Automate | User | Access Microsoft Flow as signed in user | Delegated | The application must be able to impersonate the non-interactive user used for the specific connections when accessing Power Automate. |
PowerApps Service | User | Access the PowerApps Service API | Delegated |
# Signi.com
Application is used to send and electronically sign documents sent via email.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the metadata access. |
Microsoft Graph | GroupMember.Read.All | Read group memberships | Delegated | The application must be able to impersonate the non-interactive user used for accessing metadata to use application data in the documents. |
# TALXIS - Redirect Service
TBD
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Dataverse | user_impersonation | Access Common Data Service as organization users | Delegated | |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the data access. |
# TALXIS - STS
TBD
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Dataverse | user_impersonation | Access Common Data Service as organization users | Delegated | |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the data access. |
# TALXIS - Surveys - API
Application is used to create and send survey with data from Dataverse.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Dataverse | user_impersonation | Access Common Data Service as organization users | Delegated | The application must be able to impersonate the non-interactive user used for accessing metadata to show application data in the survey. |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the data access. |
# TALXIS Data Feed
Application registration for TALXIS Data Feed used in PCF controls.
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the data access. |
# TALXIS - Documents
TBD
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Dataverse | user_impersonation | Access Common Data Service as organization users | Delegated | |
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the data access. |
# TALXIS - Email Connector
TBD
API Name | Claim | Permission | Type | Business Justification |
---|---|---|---|---|
Microsoft Graph | User.Read | Sign in and read user profile | Delegated | The application must be aware of the identity used in the context of the data access. |