To be useful for intranet users, ahead requires Delegated permissions as well as some Application permissions.
- ahead uses Delegated permissions to work with your data on behalf of the signed-in user. Either the user or an administrator consents to the permissions that the app requests.
- Application permissions are necessary to perform tasks where no signed-in user is present.
ahead accesses the following resources which belong to your company:
- Microsoft Graph
- Office 365 SharePoint Online
- Windows Azure Active Directory
For each of these resources the necessary consent is set to ahead’s requirements in that area.
Microsoft Graph
Delegated permissions
- Read all users’ full profiles
Required to show the names of ahead users on e.g. comments, reactions as well as their images - Read all groups
Required for the vertical search groups - Read directory data
Required to identify which permissions a user has in ahead - Read items in all site collections
Used for data shown in “My Work” (e.g. your documents)
Application permissions
- Read directory data
Required to send emails to ahead users when a News editor wants to notify about the News post
Office 365 SharePoint Online
Delegated permissions
- Read items in all site collections
Used to list the user’s followed sites - Run search queries as a user
Performing full-text search over your SharePoint data
Windows Azure Active Directory
Delegated permissions
- Sign in and read user profile
This allows your users to log in
If you are interested in the technical background you can read about “Permissions and consent in the Azure Active Directory v2.0 endpoint”