Hi everyone
We're in the process of setting up an OIDC AD integration using the Office 365/ AD plugins (https://docs.moodle.org/34/en/Office365).
I note that the guidance says to ensure the permissions are set as per the below table but - what if we ONLY want to be able to sync users? E.g. so users are synced between AD and our Moodle instance and then when new AD users are created, they can SSO to our Moodle instance?
Some of these permissions seem excessive and we're getting a bit of push back on their use. Can we "pick and choose" from the below (e.g. if not using OneDrive for example) or do we need them all in order to have AD integration via OIDC?
| Type | Name | Use |
|---|---|---|
| Application Permissions | Read and write domains | Required to automatically detect your Office 365 tenant during setup. |
| Read and write all users' full profiles | Required to sync user information between Moodle and Office 365. | |
| Read and write all OneNote notebooks | Required for the OneNote integration to create notebooks, sections, and pages for assignments. | |
| Read and write all groups | Required for course group integration. | |
| Read directory data | Required for setup detection and verification. | |
| Read and write calendars in all mailboxes | Required for calendar event sync. | |
| Read and write files in all site collections | Required for the Office 365 repository to access, download, and upload files to OneDrive. | |
| Delegated Permissions | Read and write all OneNote notebooks that user can access | Required for the OneNote integration to create notebooks, sections, and pages for assignments. |
| Sign in and read user profile | Required to sign users in using Office 365, and to access Office 365 APIs. | |
| Read and write all users' full profiles | Required to sync user information between Moodle and Office 365. | |
| Read and write all groups | Required for course group integration. | |
| Read and write directory data | Required for setup detection and verification. | |
| Access directory as the signed in user | Required to access Office 365 APIs. | |
| Have full access to user calendars | Required for calendar event sync. | |
| Have full access to user files | Required for the Office 365 repository to access, download, and upload files to OneDrive. | |
| Read items in all site collections | Required for SharePoint integration (deprecated) | |
| Sign users in | Required to sign users in using Office 365 (required for all integration). |