Home
LITS

Application Consent and Permissions

What is Application Consent?

Application consent is an important aspect of user privacy and data security, as it ensures that users have control over how their information is shared and used by third-party applications. Developers and service providers must adhere to legal and regulatory requirements regarding consent, such as GDPR (General Data Protection Regulation) in Europe, and implement appropriate mechanisms for obtaining and managing user consent effectively.

What app permissions should you avoid?

There’s no universal rule for which app permissions you should always allow or deny. Different permissions exist for various reasons. One app may need specific permission to function, while another may request the same permission to collect and sell your data. However, some app permissions enable access to more sensitive data than others, so they deserve a closer look. (iOS and Android app permissions may be named differently, depending on the version of your operating system.)

Apart from the usual app permissions, some software may request special access. Essentially, this access includes several different permissions, such as:

  • Access to all files
  • Appear on top
  • Ignore the “Do not disturb” mode
  • Change system settings
  • Install unknown apps
  • Control Wi-Fi

Many other app permissions can become dangerous if a malicious or vulnerable app can access them. For example, you may not consider your step count confidential information, but permission to access body sensors can reveal sensitive health data. Meanwhile, access to nearby devices can aid cross-device tracking.

Permissions You Provide

The permissions requested by an application can vary depending on its functionality and the services it integrates with. Common permissions include:

  • Access to your basic profile information (name, email, profile picture).
  • Access to your contacts or friend list.
  • Permission to post on your behalf.
  • Access to your location data.
  • Access to your photos or media files.
  • Ability to send you notifications.

Why Permissions Are Required?

Permissions are required to ensure that applications and services access only the necessary data and functionalities needed to provide their intended features or services while respecting user privacy and security. Permissions strike a balance between enabling applications to provide useful features and services while protecting user privacy, enhancing data security, and ensuring compliance with regulations.

Protecting Your Privacy

Reviewing the permissions requested by applications and only grant access to the information and features you’re comfortable with is essential. Be cautious when granting permissions to unfamiliar or untrusted applications, as they could misuse your data.

Important Things to Consider

Where You Download the App

One of the first things to consider is where the apps are downloaded from. Always make sure they come from a trusted source. If they don’t, it’s impossible to tell what security vulnerabilities might be hiding inside the application.

The Fine Print

Always take the time to review the fine print. It might seem like a wasted effort, especially when you see apps with tens of thousands of positive reviews. However, you don’t know what you are agreeing to without reviewing the fine print.

Reviewing and Granting Permissions

In addition to downloading from a trusted source and being aware of what you agree to by installing the app, you should understand the permissions you are granting the app. Permissions control what an app is allowed or not allowed to do on a device. By granting permissions, you will enable an app to use a feature, and by denying access, you prevent it from using a feature. Ensure you understand that you have full control over these permissions.

Approval Process for Extended Access

Extended access to sensitive data within your Trinity College account is granted by IT services, while you can permit access to specific areas linked to your account. This practice guarantees the protection and confidentiality of your information and that of the colleges. If you would like to request access, please submit a ticket.

As a precaution, consider using your personal email when granting access to applications not essential for college use. This will ensure that you maintain access to your applications and the data within them in the future.

Permission scopes for which Trinity will not grant users admin consent

API & Permission Scope The reason we won’t grant
MSGraph: Directory.Read.All Grants access to all directory data regardless of its data classification. In specific, this grants access to Office 365 groups with hidden membership.
MSGraph: Groups.Read.All This grants access to Office 365 groups with hidden membership.
MSGraph: GroupMember.Read.All This grants access to Office 365 groups with hidden membership.
MSGraph: Groups.ReadWrite.All It is inappropriate to grant written access to all groups.
MSGraph: User.ReadWrite.All It is inappropriate to grant write access to all users.
MSGraph: Member.Read.Hidden This grants access to Office 365 groups with hidden membership.
MSGraph: Files.Read.All This grants read access to all Sharepoint Online and OneDrive for Business files. This is generally inappropriate.
Intune: update_device_attributes Intune at Trinity is in containment, and having the ability to update every Intune-managed device is inappropriate.
Intune: update_device_health Intune at Trinity is in containment, and having the ability to update every Intune-managed device is inappropriate.
Office 365 Management API: ActivityFeed.Read This grants access to all Teams channels. This broad level of access is inappropriate.

Permission scopes for which we will grant admin consent, but only under specific circumstances

API & Permission Scope Explanation
MSGraph: Mail.Read
MSGraph: Mail.ReadBasic
MSGraph: Mail.ReadBasic.All
MSGraph: Mail.ReadWrite.All
MSGraph: Mail.Send
MSGraph: MailboxSettings.Read
MSGraph: MailboxSettings.ReadWrite
MSGraph: Calendars.Read
MSGraph: Calendars.ReadWrite
MSGraph: Contacts.Read
MSGraph: Contacts.ReadWrite
Office 365 Exchange Online: full_access_as_app		 Inappropriate to grant read or write access to all user’s mailboxes.
MSGraph: Sites.FullControl.All
MSGraph: Sites.Manage.All
MSGraph: Sites.Read.All
MSGraph: Sites.ReadWrite.All		 It is inappropriate to grant read or write access to all SharePoint Online sites.
MSGraph: User.Invite.All This grants the ability to invite guest users programmatically. Any member user in our Entra tenant can interactively invite guest users. Programmatically inviting guest users is generally inappropriate, except as a centrally managed activity, since it adds the potential for significant risk to the institution given the larger scale that it enables.

Risky Entra ID application overview

Trinity College monitors the enterprise Entra ID tenant for Entra ID applications with a set of permissions that we’ve determined are risky for the College. When we detect an application with risky permissions that hasn’t been explicitly approved, we raise alerts that result in that application being disabled and put in a review process. If judged to be OK, the application is re-enabled; otherwise, it is deleted.

  • Any permission with a type of admin. Permissions with the admin type are considered broad permissions that typically only someone with administrator-level permissions could perform. A common example would be the ability to access the given application as any user without the user’s knowledge or consent.

If you’d like Trinity IT to consider adding additional permissions to what it deems risky, please email [email protected] with “Entra ID risky permission request” in the subject line.

The service owner will consider your request. If they deny your request and you disagree, you have the right to escalate to the Information Security Team for review. If they agree, we’ll add your permissions to the set of risky permissions that we monitor.

More details

An example of an Entra ID application is the Microsoft Graph API. This Entra ID application identity is used by a RESTful web service interface by which you can query information about your Entra ID tenant. The Microsoft Graph API Entra ID application identity has three user and six admin permissions. These are listed below to provide a concrete example of the kinds of permissions that an Entra ID application identity may provide–and that another Entra ID application identity may want to get access to.

Admin permissions for Microsoft Graph API

  • Read hidden memberships [Member.Read.Hidden]
  • Read all users’ full profiles [User.Read.All]
  • Read all groups [Group.Read.All]
  • Write all groups [Group.Write.All]
  • Read and write all directory data [Directory.ReadWrite.All]
  • Read all directory data [Directory.Read.All]

User permissions for Microsoft Graph API

  • Sign in and read user profile [User.Read]
  • Read all users’ basic profiles [User.ReadBasic.All]
  • Access the directory as the signed-in user [Directory.AccessAsUser.All]

So if a given Entra ID application was added to the Trinity Entra ID tenant and required ‘Member.Read.Hidden’ or ‘Directory.Read.All’, we’d detect that and flag that Entra ID application as having a risky permission. Affected users would be contacted, and the application would be disabled and reviewed.