Home
LITS

Application Consent and Permissions

What is Application Consent?

Application consent is the process by which an application requests permission to access data within your Trinity account.

When you sign in to a third-party app using your Trinity credentials, you may be asked to approve specific permissions. These permissions define what the application can access or do on your behalf, such as reading your email, accessing files, or viewing your profile information. Depending on the level of access requested, consent may be granted by an individual user or require approval from Trinity IT. Understanding what you are approving is important, as some permissions provide limited access while others allow broad visibility into institutional data.

Looking for user guidance? For general tips on safely managing third-party apps connected to your Trinity account, visit: Managing Third‑Party Apps Connected to Trinity Accounts

User Consent vs. Admin Consent

There are two types of consent in Trinity’s environment:
  • User Consent: Some applications allow individual users to approve access to their own data. These permissions are typically lower risk and limited to the user’s scope.
  • Admin Consent: Applications requesting broader or more sensitive access require approval from Trinity IT. These permissions may allow access across multiple users, departments, or systems.

As a general rule, permissions that impact more than just your own data will require review and approval before being allowed.

What Permissions Should You Be Careful With?

Some permissions provide significantly broader access than others and should be reviewed carefully:
  • Access to all files or document libraries
  • Ability to read or send an email
  • Access to directory data (users, groups, organizational structure)
  • Permission to act on your behalf without additional sign-in
  • Access to contacts or shared resources

These permissions may allow applications to access sensitive institutional data or operate beyond your immediate control.

If you are unsure why an application needs a specific permission, do not approve it without further review.

Common Permission Types

Applications request permissions based on the services they integrate with. Common examples include:

  • Basic profile information (name, email, profile)
  • Email access (read, send, manage messages)
  • Calendar access
  • Access to files stored in OneDrive or SharePoint
  • Contact information
  • Notifications or background access

Permissions are required so applications can deliver their intended functionality. However, not all applications need the same level of access. Always ensure that the access being requested aligns with what the application is expected to do.

Protecting Your Privacy and Institutional Data

When you grant permissions to an application using your Trinity account, you are allowing that application to access institutional data based on the permissions approved.

Before granting access, take a moment to evaluate the request:

  • Is the application from a trusted and recognized provider?
  • Does the level of access requested align with what the application is expected to do?
  • Are you comfortable with the application accessing Trinity data, not just personal information?

Be cautious when approving access for unfamiliar applications or those requesting broad permissions. Even widely used applications can request more access than necessary.

If something does not seem appropriate or requires elevated access, do not approve the request and instead contact Trinity IT for guidance.

In general, avoid granting access to applications that you do not recognize, are not required for your work, or request access beyond what is necessary for their stated purpose.

Approval Process for Extended Access

Access to sensitive or broad permissions is reviewed and approved by Trinity IT.
If an application requires elevated access, a request must be submitted for evaluation. This process ensures that:
  • The application is legitimate and trusted
  • The requested permissions are appropriate
  • Institutional data is protected

If access is not approved, the application will be blocked.

For non-essential services, consider using a personal email account instead of your Trinity account to reduce institutional risk and maintain control over your data.

The following permissions are considered high risk and will not be approved for general use:

API & Permission Scope The reason we won’t grant
MSGraph: Directory.Read.All Grants access to all directory data regardless of its data classification. In specific, this grants access to Office 365 groups with hidden membership.
MSGraph: Groups.Read.All This grants access to Office 365 groups with hidden membership.
MSGraph: GroupMember.Read.All This grants access to Office 365 groups with hidden membership.
MSGraph: Groups.ReadWrite.All It is inappropriate to grant written access to all groups.
MSGraph: User.ReadWrite.All It is inappropriate to grant write access to all users.
MSGraph: Member.Read.Hidden This grants access to Office 365 groups with hidden membership.
MSGraph: Files.Read.All This grants read access to all Sharepoint Online and OneDrive for Business files. This is generally inappropriate.
Intune: update_device_attributes Intune at Trinity is in containment, and having the ability to update every Intune-managed device is inappropriate.
Intune: update_device_health Intune at Trinity is in containment, and having the ability to update every Intune-managed device is inappropriate.
Office 365 Management API: ActivityFeed.Read This grants access to all Teams channels. This broad level of access is inappropriate.

The following permissions may be approved under specific, controlled circumstances:

API & Permission Scope Explanation
MSGraph: Mail.Read
MSGraph: Mail.ReadBasic
MSGraph: Mail.ReadBasic.All
MSGraph: Mail.ReadWrite.All
MSGraph: Mail.Send
MSGraph: MailboxSettings.Read
MSGraph: MailboxSettings.ReadWrite
MSGraph: Calendars.Read
MSGraph: Calendars.ReadWrite
MSGraph: Contacts.Read
MSGraph: Contacts.ReadWrite
Office 365 Exchange Online: full_access_as_app		 Inappropriate to grant read or write access to all user’s mailboxes.
MSGraph: Sites.FullControl.All
MSGraph: Sites.Manage.All
MSGraph: Sites.Read.All
MSGraph: Sites.ReadWrite.All		 It is inappropriate to grant read or write access to all SharePoint Online sites.
MSGraph: User.Invite.All This grants the ability to invite guest users programmatically. Any member user in our Entra tenant can interactively invite guest users. Programmatically inviting guest users is generally inappropriate, except as a centrally managed activity, since it adds the potential for significant risk to the institution given the larger scale that it enables.

Monitoring and Risk-Based Controls

Trinity actively monitors applications integrated with our Entra ID environment.

Applications requesting high-risk permissions that have not been explicitly approved are automatically flagged for review. These applications may be:
  • •Disabled pending review
  • Approved and restored if deemed appropriate
  • Permanently removed if determined to be unsafe

Permissions classified as “admin-level” are of particular concern, as they often allow broad access without direct user awareness.

If you believe an application requires access that has been restricted, you may request a review through Trinity IT by emailing [email protected]. Escalations can be reviewed by the Information Security team when needed.

More details

An example of an Entra ID application is the Microsoft Graph API. This Entra ID application identity is used by a RESTful web service interface, by which you can query information about your Entra ID tenant. The Microsoft Graph API Entra ID application identity has three user and six admin permissions. These are listed below to provide a concrete example of the kinds of permissions that an Entra ID application identity may provide–and that another Entra ID application identity may want to get access to.

Admin permissions for Microsoft Graph API

  • Read hidden memberships [Member.Read.Hidden]
  • Read all users’ full profiles [User.Read.All]
  • Read all groups [Group.Read.All]
  • Write all groups [Group.Write.All]
  • Read and write all directory data [Directory.ReadWrite.All]
  • Read all directory data [Directory.Read.All]

User permissions for Microsoft Graph API

  • Sign in and read user profile [User.Read]
  • Read all users’ basic profiles [User.ReadBasic.All]
  • Access the directory as the signed-in user [Directory.AccessAsUser.All]

So if a given Entra ID application was added to the Trinity Entra ID tenant and required ‘Member.Read.Hidden’ or ‘Directory.Read.All’, we’d detect that and flag that Entra ID application as having a risky permission. Affected users would be contacted, and the application would be disabled and reviewed.