{"id":6017,"date":"2024-03-14T16:16:07","date_gmt":"2024-03-14T20:16:07","guid":{"rendered":"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/network\/application-integrations-3rd-party\/"},"modified":"2026-05-12T12:01:59","modified_gmt":"2026-05-12T16:01:59","slug":"application-integrations-3rd-party","status":"publish","type":"page","link":"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/","title":{"rendered":"Application Consent and Permissions"},"content":{"rendered":"<h2>What is Application Consent?<\/h2>\n<div>\n<p>Application consent is the process by which an application requests permission to access data within your Trinity account.<\/p>\n<p>When you sign in to a third-party app using your Trinity credentials, you may be asked to approve specific permissions. These permissions define what the application can access or do on your behalf, such as reading your email, accessing files, or viewing your profile information. Depending on the level of access requested, consent may be granted by an individual user or require approval from Trinity IT. Understanding what you are approving is important, as some permissions provide limited access while others allow broad visibility into institutional data.<\/p>\n<\/div>\n<p><strong>Looking for user guidance? <\/strong>For general tips on safely managing third-party apps connected to your Trinity account, visit: <a href=\"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/\">Managing Third\u2011Party Apps Connected to Trinity Accounts<\/a><\/p>\n<h2>User Consent vs. Admin Consent<\/h2>\n<div>There are two types of consent in Trinity&#8217;s environment:<\/div>\n<ul>\n<li><strong>User Consent: <\/strong>Some applications allow individual users to approve access to their own data. These permissions are typically lower risk and limited to the user\u2019s scope.<\/li>\n<li><strong>Admin Consent:<\/strong> Applications requesting broader or more sensitive access require approval from Trinity IT. These permissions may allow access across multiple users, departments, or systems.<\/li>\n<\/ul>\n<p>As a general rule, permissions that impact more than just your own data will require review and approval before being allowed.<\/p>\n<h2>What Permissions Should You Be Careful With?<\/h2>\n<div>Some permissions provide significantly broader access than others and should be reviewed carefully:<\/div>\n<ul>\n<li>Access to all files or document libraries<\/li>\n<li>Ability to read or send an email<\/li>\n<li>Access to directory data (users, groups, organizational structure)<\/li>\n<li>Permission to act on your behalf without additional sign-in<\/li>\n<li>Access to contacts or shared resources<\/li>\n<\/ul>\n<p>These permissions may allow applications to access sensitive institutional data or operate beyond your immediate control.<\/p>\n<p>If you are unsure why an application needs a specific permission, do not approve it without further review.<\/p>\n<h2>Common Permission Types<\/h2>\n<p>Applications request permissions based on the services they integrate with. Common examples include:<\/p>\n<ul>\n<li>Basic profile information (name, email, profile)<\/li>\n<li>Email access (read, send, manage messages)<\/li>\n<li>Calendar access<\/li>\n<li>Access to files stored in OneDrive or SharePoint<\/li>\n<li>Contact information<\/li>\n<li>Notifications or background access<\/li>\n<\/ul>\n<p>Permissions are required so applications can deliver their intended functionality. However, not all applications need the same level of access. Always ensure that the access being requested aligns with what the application is expected to do.<\/p>\n<h2>Protecting Your Privacy and Institutional Data<\/h2>\n<div>When you grant permissions to an application using your Trinity account, you are allowing that application to access institutional data based on the permissions approved.<\/div>\n<p>Before granting access, take a moment to evaluate the request:<\/p>\n<ul>\n<li>Is the application from a trusted and recognized provider?<\/li>\n<li>Does the level of access requested align with what the application is expected to do?<\/li>\n<li>Are you comfortable with the application accessing Trinity data, not just personal information?<\/li>\n<\/ul>\n<p>Be cautious when approving access for unfamiliar applications or those requesting broad permissions. Even widely used applications can request more access than necessary.<\/p>\n<p>If something does not seem appropriate or requires elevated access, do not approve the request and instead contact Trinity IT for guidance.<\/p>\n<p>In general, avoid granting access to applications that you do not recognize, are not required for your work, or request access beyond what is necessary for their stated purpose.<\/p>\n<h2>Approval Process for Extended Access<\/h2>\n<div>Access to sensitive or broad permissions is reviewed and approved by Trinity IT.<\/div>\n<div><\/div>\n<div>If an application requires elevated access, a request must be submitted for evaluation. This process ensures that:<\/div>\n<ul>\n<li>The application is legitimate and trusted<\/li>\n<li>The requested permissions are appropriate<\/li>\n<li>Institutional data is protected<\/li>\n<\/ul>\n<p>If access is not approved, the application will be blocked.<\/p>\n<p>For non-essential services, consider using a personal email account instead of your Trinity account to reduce institutional risk and maintain control over your data.<\/p>\n<h3>The following permissions are considered high risk and will not be approved for general use:<\/h3>\n<table style=\"width: 1174px\">\n<tbody>\n<tr>\n<td style=\"width: 313px\"><strong>API &amp; Permission Scope<\/strong><\/td>\n<td style=\"width: 861px\"><strong>The reason we won\u2019t grant<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 313px\">MSGraph: Directory.Read.All<\/td>\n<td style=\"width: 861px\">Grants access to all directory data regardless of its data classification. In specific, this grants access to Office 365 groups with hidden membership.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 313px\">MSGraph: Groups.Read.All<\/td>\n<td style=\"width: 861px\">This grants access to Office 365 groups with hidden membership.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 313px\">MSGraph: GroupMember.Read.All<\/td>\n<td style=\"width: 861px\">This grants access to Office 365 groups with hidden membership.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 313px\">MSGraph: Groups.ReadWrite.All<\/td>\n<td style=\"width: 861px\">It is inappropriate to grant written access to all groups.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 313px\">MSGraph: User.ReadWrite.All<\/td>\n<td style=\"width: 861px\">It is inappropriate to grant write access to all users.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 313px\">MSGraph: Member.Read.Hidden<\/td>\n<td style=\"width: 861px\">This grants access to Office 365 groups with hidden membership.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 313px\">MSGraph: Files.Read.All<\/td>\n<td style=\"width: 861px\">This grants read access to all Sharepoint Online and OneDrive for Business files. This is generally inappropriate.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 313px\">Intune: update_device_attributes<\/td>\n<td style=\"width: 861px\">Intune at Trinity is in containment, and having the ability to update every Intune-managed device is inappropriate.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 313px\">Intune: update_device_health<\/td>\n<td style=\"width: 861px\">Intune at Trinity is in containment, and having the ability to update every Intune-managed device is inappropriate.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 313px\">Office 365 Management API: ActivityFeed.Read<\/td>\n<td style=\"width: 861px\">This grants access to all Teams channels. This broad level of access is inappropriate.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>The following permissions may be approved under specific, controlled circumstances:<\/h3>\n<table style=\"width: 1174px\">\n<tbody>\n<tr>\n<td style=\"width: 252px\"><strong>API &amp; Permission Scope<\/strong><\/td>\n<td style=\"width: 922px\"><strong>Explanation<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 252px\">MSGraph: Mail.Read<br \/>\nMSGraph: Mail.ReadBasic<br \/>\nMSGraph: Mail.ReadBasic.All<br \/>\nMSGraph: Mail.ReadWrite.All<br \/>\nMSGraph: Mail.Send<br \/>\nMSGraph: MailboxSettings.Read<br \/>\nMSGraph: MailboxSettings.ReadWrite<br \/>\nMSGraph: Calendars.Read<br \/>\nMSGraph: Calendars.ReadWrite<br \/>\nMSGraph: Contacts.Read<br \/>\nMSGraph: Contacts.ReadWrite<br \/>\nOffice 365 Exchange Online: full_access_as_app<\/td>\n<td style=\"width: 922px\">Inappropriate to grant read or write access to all user\u2019s mailboxes.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 252px\">MSGraph: Sites.FullControl.All<br \/>\nMSGraph: Sites.Manage.All<br \/>\nMSGraph: Sites.Read.All<br \/>\nMSGraph: Sites.ReadWrite.All<\/td>\n<td style=\"width: 922px\">It is inappropriate to grant read or write access to all SharePoint Online sites.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 252px\">MSGraph: User.Invite.All<\/td>\n<td style=\"width: 922px\">This grants the ability to invite guest users programmatically. Any member user in our Entra tenant can interactively invite guest users. Programmatically inviting guest users is generally inappropriate, except as a centrally managed activity, since it adds the potential for significant risk to the institution given the larger scale that it enables.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Monitoring and Risk-Based Controls<\/h2>\n<p>Trinity actively monitors applications integrated with our Entra ID environment.<\/p>\n<div>Applications requesting high-risk permissions that have not been explicitly approved are automatically flagged for review. These applications may be:<\/div>\n<ul>\n<li>\u2022Disabled pending review<\/li>\n<li>Approved and restored if deemed appropriate<\/li>\n<li>Permanently removed if determined to be unsafe<\/li>\n<\/ul>\n<p>Permissions classified as &#8220;admin-level&#8221; are of particular concern, as they often allow broad access without direct user awareness.<\/p>\n<p>If you believe an application requires access that has been restricted, you may request a review through Trinity IT by emailing <a href=\"mailto:helpdesk@trincoll.edu\">helpdesk@trincoll.edu<\/a>. Escalations can be reviewed by the Information Security team when needed.<\/p>\n<h3>More details<\/h3>\n<p>An example of an Entra ID application is the Microsoft Graph API. This Entra ID application identity is used by a RESTful web service interface, by which you can query information about your Entra ID tenant. The Microsoft Graph API Entra ID application identity has three user and six admin permissions. These are listed below to provide a concrete example of the kinds of permissions that an Entra ID application identity may provide\u2013and that another Entra ID application identity may want to get access to.<\/p>\n<p><strong>Admin permissions for Microsoft Graph API<\/strong><\/p>\n<ul>\n<li>Read hidden memberships [Member.Read.Hidden]<\/li>\n<li>Read all users\u2019 full profiles [User.Read.All]<\/li>\n<li>Read all groups [Group.Read.All]<\/li>\n<li>Write all groups [Group.Write.All]<\/li>\n<li>Read and write all directory data [Directory.ReadWrite.All]<\/li>\n<li>Read all directory data [Directory.Read.All]<\/li>\n<\/ul>\n<p><strong>User permissions for Microsoft Graph API<\/strong><\/p>\n<ul>\n<li>Sign in and read user profile [User.Read]<\/li>\n<li>Read all users\u2019 basic profiles [User.ReadBasic.All]<\/li>\n<li>Access the directory as the signed-in user [Directory.AccessAsUser.All]<\/li>\n<\/ul>\n<p>So if a given Entra ID application was added to the Trinity Entra ID tenant and required \u2018Member.Read.Hidden\u2019 or \u2018Directory.Read.All\u2019, we\u2019d detect that and flag that Entra ID application as having a risky permission. Affected users would be contacted, and the application would be disabled and reviewed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is Application Consent? Application consent is the process by which an application requests permission to access data within your Trinity account. When you sign in to a third-party app using your Trinity credentials, you may be asked to approve specific permissions. These permissions define what the application can access or do on your behalf, [&hellip;]<\/p>\n","protected":false},"author":336,"featured_media":0,"parent":11793,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-6017","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.5 (Yoast SEO v25.8) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Application Consent and Permissions - Library &amp; Information Technology Services<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third\u2011party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Application Consent and Permissions\" \/>\n<meta property=\"og:description\" content=\"What is Application Consent? Application consent is the process by which an application requests permission to access data within your Trinity account. When you sign in to a third-party app using your Trinity credentials, you may be asked to approve specific permissions. These permissions define what the application can access or do on your behalf, [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third\u2011party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/\" \/>\n<meta property=\"og:site_name\" content=\"Library &amp; Information Technology Services\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-12T16:01:59+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/\",\"url\":\"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/\",\"name\":\"Application Consent and Permissions - Library &amp; Information Technology Services\",\"isPartOf\":{\"@id\":\"https:\/\/www.trincoll.edu\/lits\/#website\"},\"datePublished\":\"2024-03-14T20:16:07+00:00\",\"dateModified\":\"2026-05-12T16:01:59+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Technology\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Tech Support\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Managing Third\u2011Party Apps Connected to Trinity Accounts\",\"item\":\"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"Application Consent and Permissions\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.trincoll.edu\/lits\/#website\",\"url\":\"https:\/\/www.trincoll.edu\/lits\/\",\"name\":\"Library &amp; Information Technology Services\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.trincoll.edu\/lits\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Application Consent and Permissions - Library &amp; Information Technology Services","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third\u2011party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/","og_locale":"en_US","og_type":"article","og_title":"Application Consent and Permissions","og_description":"What is Application Consent? Application consent is the process by which an application requests permission to access data within your Trinity account. When you sign in to a third-party app using your Trinity credentials, you may be asked to approve specific permissions. These permissions define what the application can access or do on your behalf, [&hellip;]","og_url":"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third\u2011party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/","og_site_name":"Library &amp; Information Technology Services","article_modified_time":"2026-05-12T16:01:59+00:00","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/","url":"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/","name":"Application Consent and Permissions - Library &amp; Information Technology Services","isPartOf":{"@id":"https:\/\/www.trincoll.edu\/lits\/#website"},"datePublished":"2024-03-14T20:16:07+00:00","dateModified":"2026-05-12T16:01:59+00:00","breadcrumb":{"@id":"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/application-integrations-3rd-party\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.trincoll.edu\/lits\/"},{"@type":"ListItem","position":2,"name":"Technology","item":"https:\/\/www.trincoll.edu\/lits\/technology\/"},{"@type":"ListItem","position":3,"name":"Tech Support","item":"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/"},{"@type":"ListItem","position":4,"name":"Managing Third\u2011Party Apps Connected to Trinity Accounts","item":"https:\/\/www.trincoll.edu\/lits\/technology\/tech-support\/managing-third%e2%80%91party-apps-connected-to-trinity-accounts\/"},{"@type":"ListItem","position":5,"name":"Application Consent and Permissions"}]},{"@type":"WebSite","@id":"https:\/\/www.trincoll.edu\/lits\/#website","url":"https:\/\/www.trincoll.edu\/lits\/","name":"Library &amp; Information Technology Services","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.trincoll.edu\/lits\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/6017","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/users\/336"}],"replies":[{"embeddable":true,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/comments?post=6017"}],"version-history":[{"count":6,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/6017\/revisions"}],"predecessor-version":[{"id":11831,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/6017\/revisions\/11831"}],"up":[{"embeddable":true,"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/pages\/11793"}],"wp:attachment":[{"href":"https:\/\/www.trincoll.edu\/lits\/wp-json\/wp\/v2\/media?parent=6017"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}