Citrix Cloud

Azure Active Directory Permissions for Citrix Cloud

November 29, 2023

Contributed by:

C J

This article describes the permissions that Citrix Cloud requests when connecting and using Azure Active Directory (AD). Depending on how Azure AD is used with the Citrix Cloud account, one or more enterprise applications might be created in the target Azure AD tenant. You can connect multiple Citrix Cloud accounts to one Azure AD tenant and use the same enterprise applications, without creating a set of applications for each account.

Note:

As of April 2022, the Azure AD app that Citrix Cloud uses to connect your Azure AD was updated to use the GroupMember.Read.All permission instead of the Group.Read.All permission. If you have an existing Azure AD connection (before April 2022) and you want the app to use the new permission, you must disconnect and then reconnect your Azure AD to Citrix Cloud. This action ensures your account is using the latest Azure AD app in Citrix Cloud. For more information, see Reconnect to Azure AD for the upgraded app.

If you choose not to update the app, your existing connection still functions normally.

Enterprise applications

The following table lists the Azure AD enterprise applications that Citrix Cloud uses when connecting and using Azure AD and the purpose for which each application is used.

Name	Application ID	Usage
Citrix Cloud	e95c4605-aeab-48d9-9c36-1a262ef8048e	Workspace subscriber login
Citrix Cloud	f9c0e999-22e7-409f-bb5e-956986abdf02	Default connection between Azure AD and Citrix Cloud
Citrix Cloud	1b32f261-b20c-4399-8368-c8f0092b4470	Administrator invitations and logins
Citrix Cloud	5c913119-2257-4316-9994-5e8f3832265b	Default connection between Azure AD and Citrix Cloud with Citrix Endpoint Management
Citrix Cloud	e067934c-b52d-4e92-b1ca-70700bd1124e	Legacy connection between Azure AD and Citrix Cloud with Citrix Endpoint Management

Permissions

The permissions in Citrix Cloud’s enterprise applications allow Citrix Cloud to access certain data in your Azure AD tenant. Citrix Cloud uses these data to perform specific functions such as connecting to your Azure AD tenant, enabling administrators to sign in to Citrix Cloud using a dedicated sign-in URL, and connecting your Azure AD tenant with Endpoint Management. Citrix Cloud can only access these data with your consent. These permissions represent the least amount of privilege that Citrix Cloud needs to function with your Azure AD. For more information about Azure AD permissions and consent, see Permissions and consent in the Microsoft identity platform on the Microsoft Azure documentation web site.

In this article, each set of Azure AD application permissions includes the following information:

API Name: The resource applications from which Citrix Cloud requests permissions. These applications are Microsoft Graph and Windows Azure Active Directory. Citrix Cloud requests the same permissions from both of these resource applications.
Type: The levels of access that Citrix Cloud requests for a given permission. Permissions in a given enterprise application can have one of the following access levels:
- Delegated permissions are used to act on behalf of a signed-in user, such as when querying the profile of the user.
- Application permissions are used when the application performs an action without the user’s presence, such as querying users within a particular group. This permission type requires consent of a Global Administrator in Azure AD.
Claim Value: The string of information that Azure AD assigns to a given permission. Permissions in a given enterprise application can have one of the following claim values:
- User.Read: Allows Citrix Cloud administrators to add users from the connected Azure AD as administrators on the Citrix Cloud account.
- User.ReadBasic.All: Gathers basic info from the user’s profile. It’s a subset from User.Read.All but the permission itself remains for backwards compatibility.
- User.Read.All: Citrix Cloud calls List users in Microsoft Graph to enable browsing and selection of users from the customer’s connected Azure AD. For example, users from Azure AD can be given access to a Citrix DaaS resource with the workspace. Citrix Cloud can’t use User.ReadBasic.All as Citrix Cloud needs to access properties outside of the basic profile such as onPremisesSecurityIdentifier.
- GroupMember.Read.All: Citrix Cloud calls List groups in Microsoft Graph to allow browsing and selection of groups from the customer’s connected Azure AD. For example, groups from Azure AD can also be granted access to Citrix DaaS applications.
- Directory.Read.All: Citrix Cloud calls List memberOf in Microsoft Graph to get the user’s group membership as Groups.Read.All is not sufficient.
- DeviceManagementApps.ReadWrite.All: Allows Citrix Cloud to read and write the properties, group assignments, status of apps, app configurations, and app protection policies managed by Microsoft Intune.
- Directory.AccessAsUser.All: Allows Citrix Cloud to have the same access to information in the directory as the signed-in user.

Note:

The Directory.Read.All is applicable only for Default connection between Azure AD and Citrix Cloud with Endpoint Management.

This Citrix Cloud application (ID: e95c4605-aeab-48d9-9c36-1a262ef8048e) uses the following permissions:

API Name	Claim Value	Permission Name	Type
Microsoft Graph	User.Read	Sign in and read user profile	Delegated

Default connection between Azure AD and Citrix Cloud

This Citrix Cloud application (ID: f9c0e999-22e7-409f-bb5e-956986abdf02) uses the following permissions:

API Name	Claim Value	Permission	Type
Microsoft Graph	GroupMember.Read.All	Read all groups	Delegated
Microsoft Graph	User.ReadBasic.All	Read all users’ basic profiles	Delegated
Microsoft Graph	User.Read.All	Read all users’ full profiles	Delegated
Microsoft Graph	User.Read	Sign in and read user profile	Delegated
Microsoft Graph	GroupMember.Read.All	Read all groups	Application
Microsoft Graph	User.Read.All	Read all users’ full profile	Application
Microsoft Graph	User.Read	Sign in and read user profile	Application

Administrator invitations and logins

This Citrix Cloud application (ID: 1b32f261-b20c-4399-8368-c8f0092b4470) uses the following permissions:

API Name	Claim Value	Permission Name	Type
Microsoft Graph	User.Read	Sign in and read user profile	Delegated
Microsoft Graph	User.ReadBasic.All	Read all users’ basic profiles	Delegated

Default connection between Azure AD and Citrix Cloud with Endpoint Management

This Citrix Cloud application (ID: 5c913119-2257-4316-9994-5e8f3832265b) uses the following permissions:

API Name	Claim Value	Permission Name	Type
Microsoft Graph	GroupMember.Read.All	Read all groups	Delegated
Microsoft Graph	User.ReadBasic.All	Read all users’ basic profiles	Delegated
Microsoft Graph	User.Read	Sign in and read user profile	Delegated
Microsoft Graph	Directory.Read.All	Read directory data	Application
Microsoft Graph	Directory.Read.All	Read directory data	Delegated
Microsoft Graph	DeviceManagementApps.ReadWrite.All	Read and write Microsoft Intune apps	Delegated
Microsoft Graph	Directory.AccessAsUser.All	Access directory as the signed-in user	Delegated

Legacy connection between Azure AD and Citrix Cloud with Endpoint Management

This Citrix Cloud application (ID: e067934c-b52d-4e92-b1ca-70700bd1124e) uses the following permissions:

API Name	Claim Value	Permission Name	Type
Microsoft Graph	GroupMember.Read.All	Read all groups	Delegated
Microsoft Graph	User.ReadBasic.All	Read all users’ basic profiles	Delegated
Microsoft Graph	User.Read	Sign in and read user profile	Delegated
Microsoft Graph	DeviceManagementApps.ReadWrite.All	Read and write Microsoft Intune apps	Delegated
Microsoft Graph	Directory.AccessAsUser.All	Access directory as the signed-in user	Delegated

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Azure Active Directory Permissions for Citrix Cloud

November 29, 2023

Contributed by:

C J

November 29, 2023

Contributed by:

C J

Enterprise applications
Permissions
Workspace subscriber login
Default connection between Azure AD and Citrix Cloud
Administrator invitations and logins
Default connection between Azure AD and Citrix Cloud with Endpoint Management
Legacy connection between Azure AD and Citrix Cloud with Endpoint Management

Was this helpful

Azure Active Directory Permissions for Citrix Cloud

Enterprise applications

Permissions

Workspace subscriber login

Default connection between Azure AD and Citrix Cloud

Administrator invitations and logins

Default connection between Azure AD and Citrix Cloud with Endpoint Management

Legacy connection between Azure AD and Citrix Cloud with Endpoint Management

In this article