Azure Active Directory Permissions for Citrix Cloud Japan
This article describes the permissions that Citrix Cloud Japan requests when connecting and using Azure Active Directory (AD). Depending on how Azure AD is used with the Citrix Cloud Japan account, one or more enterprise applications might be created in the target Azure AD tenant. You can connect multiple Citrix Cloud Japan accounts to one Azure AD tenant and use the same enterprise applications, without creating a set of applications for each account.
Note:
As of April 2022, the Azure AD app that Citrix Cloud Japan uses to connect your Azure AD was updated to use the GroupMember.Read.All permission instead of the Group.Read.All permission. If you have an existing Azure AD connection (before April 2022) and you want the app to use the new permission, you must disconnect and then reconnect your Azure AD to Citrix Cloud Japan. This action ensures your account is using the latest Azure AD app in Citrix Cloud Japan. For more information, see Reconnect to Azure AD for the updated app.
If you choose not to update the app, your existing connection still functions normally.
Enterprise applications
The following table lists the Azure AD enterprise applications that Citrix Cloud Japan uses when connecting and using Azure AD and the purpose for which each application is used.
| Name | Application ID | Usage |
|---|---|---|
| Citrix Cloud ProductionJP | f751768a-a91d-4306-af65-448ab59e2c85 | Workspace subscriber login |
| CC-Directory-ProductionJP | 6550e1c7-8970-46bc-82b6-ebd920ff255d | Default connection between Azure AD and Citrix Cloud Japan |
| Athena ProductionJP | 6464247d-8d40-42b9-a75e-4660db847454 | Administrator invitations and logins |
Permissions
The permissions in Citrix Cloud Japan’s enterprise applications allow Citrix Cloud Japan to access certain data in your Azure AD tenant. Citrix Cloud Japan uses these data to perform specific functions such as connecting to your Azure AD tenant and enabling administrators to sign in to Citrix Cloud Japan using a dedicated sign-in URL. Citrix Cloud Japan can only access these data with your consent. These permissions represent the least amount of privilege that Citrix Cloud Japan needs to function with your Azure AD. For more information about Azure AD permissions and consent, see Permissions and consent in the Microsoft identity platform on the Microsoft Azure documentation web site.
In this article, each set of Azure AD application permissions includes the following information:
- API Name: The resource applications from which Citrix Cloud Japan requests permissions. These applications are Microsoft Graph and Windows Azure Active Directory. Citrix Cloud Japan requests the same permissions from both of these resource applications.
-
Type: The levels of access that Citrix Cloud Japan requests for a given permission. Permissions in a given enterprise application can have one of the following access levels:
- Delegated permissions are used to act on behalf of a signed-in user, such as when querying the profile of the user.
- Application permissions are used when the application performs an action without the user’s presence, such as querying users within a particular group. This permission type requires consent of a Global Administrator in Azure AD.
-
Claim Value: The string of information that Azure AD assigns to a given permission. Permissions in a given enterprise application can have one of the following claim values:
- User.Read: Allows Citrix Cloud Japan administrators to add users from the connected Azure AD as administrators on the Citrix Cloud Japan account.
-
User.ReadBasic.All: Gathers basic info from the user’s profile. This is a subset of
User.Read.Allbut the permission itself remains for backwards compatibility. -
User.Read.All: Citrix Cloud Japan calls List users in Microsoft Graph to enable browsing and selection of users from the customer’s connected Azure AD. For example, users from Azure AD can be given access to a Citrix DaaS resource with the workspace. Citrix Cloud Japan can’t use
User.ReadBasic.Allas Citrix Cloud Japan needs to access properties outside of the basic profile such asonPremisesSecurityIdentifier. - GroupMember.Read.All: Citrix Cloud Japan calls List groups in Microsoft Graph to allow browsing and selection of groups from the customer’s connected Azure AD. For example, groups from Azure AD can also be granted access to Citrix DaaS applications.
Workspace subscriber login
The Citrix Cloud ProductionJP application (ID: f751768a-a91d-4306-af65-448ab59e2c85) uses the same permissions for both the Microsoft Graph and the Windows Azure Active Directory resource applications.
| API Name | Claim Value | Permission Name | Type |
|---|---|---|---|
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated |
| Windows Azure Active Directory | User.Read | Sign in and read user profile | Delegated |
Default connection between Azure AD and Citrix Cloud Japan
The CC-Directory-ProductionJP application (ID: 6550e1c7-8970-46bc-82b6-ebd920ff255d) uses the following permissions:
| API Name | Claim Value | Permission | Type |
|---|---|---|---|
| Microsoft Graph | GroupMember.Read.All | Read all groups | Delegated |
| Microsoft Graph | User.ReadBasic.All | Read all users’ basic profiles | Delegated |
| Microsoft Graph | User.Read.All | Read all users’ full profiles | Delegated |
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated |
| Microsoft Graph | GroupMember.Read.All | Read all groups | Application |
| Microsoft Graph | User.Read.All | Read all users’ full profile | Application |
Administrator invitations and logins
The Athena ProductionJP application (ID: 6464247d-8d40-42b9-a75e-4660db847454) uses the following permissions:
| API Name | Claim Value | Permission Name | Type |
|---|---|---|---|
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated |
| Microsoft Graph | User.ReadBasic.All | Read all users’ basic profiles | Delegated |