UW Madison Google Workspace - Understanding OAuth Permissions for Microsoft 365, Google Workspace, and Zoom

When an application requests access to your UW–Madison account, it's important to understand both the permissions being requested and the type of information the application needs to function. Unfortunately, these permissions are often presented in vague or unclear terms, which can lead to unintentionally granting more access than necessary.

This document introduces the common types of permissions you may encounter. While the guidance may be relevant to other services, it specifically focuses on UW–Madison accounts associated with Microsoft 365, Google Workspace, and Zoom.

Topics:

What are Permissions?
Google Workspace Permissions
Microsoft 365 Permissions
Zoom Permissions
OAuth Resources

Overview

Introduction to OAuth for Microsoft, Google Workspace and Zoom
Understanding OAuth Permissions for Microsoft 365, Google Workspace, and Zoom (this document)
Manage OAuth permissions for Microsoft 365, Google Workspace, and Zoom

What are Permissions?

Permissions define the actions that a user, service, or application is allowed or restricted from performing. A common example is the use of roles when sharing files in Google Drive. Roles such as "Owner," "Editor," "Viewer," and "Commenter" represent different sets of permissions. For example, an owner can delete a file, while an editor cannot.

OAuth uses a similar idea. When you grant an application permission to access your account, you are specifying the actions that the application can perform. If an application has permission to "View information on your account," it might access personal details such as your name and date of birth. If the application has permission to "Edit information on your account," it could modify that data. Given the level of access some applications can gain to your accounts and data, it is important to understand what it means to give an app permission to your account.

Google Workspace Permissions

Google Workspace is a common application third-party apps can request permissions through OAuth. These requests can include access to your entire account or to specific Google applications. For example, a scheduling application might request permission to access your Google Calendar, or a contact management application might seek permission to view and edit your contacts. It is essential to review the permissions requested by any application carefully. A calculator application, for instance, should not require access to view and edit your Google Drive. You can review the permissions granted to applications connected to your Google account.

Here's a breakdown of common Google account permissions:

Get your basic profile: This permission allows applications to access fundamental profile information, including your name, email address, and profile picture. It is commonly used for "Sign in with Google" functionality.
View and copy data from your Google Account: This permission enables applications to view, copy, and store data from your Google account or specific Google applications you authorize. For example, a PDF converter might request this permission to access files in your Google Drive. It's important to note that even if you revoke this permission, the application may have already stored data accessed while the permission was active. Exercise caution when granting this permission.
Manage data in your Google Account: This permission grants extensive capabilities, including the ability to edit, upload, create, and delete information within your Google Account. While there are legitimate reasons to request this permission (for example, the scheduling application mentioned earlier may request it for your calendar), it is also a very dangerous permission to grant. Always research the application before granting this permission.

The following are common Google OAuth scopes (permissions):

https://www.googleapis.com/auth/userinfo.profile: Allows access to basic profile information, including name and profile picture.
https://www.googleapis.com/auth/userinfo.email: Allows access to the user's email address.
https://www.googleapis.com/auth/calendar: Provides full access to manage calendars and events.
https://www.googleapis.com/auth/gmail.readonly: Allows read-only access to Gmail.
https://www.googleapis.com/auth/drive.readonly: Allows read-only access to Google Drive files.
https://www.googleapis.com/auth/drive: Provides full read/write access to Google Drive files.

It's important to note that these are just a few examples, and many other Google OAuth scopes are available, depending on the specific Google API being used. You can find more detailed information on specific Google API scopes in the Google Developers documentation.

Microsoft 365 Permissions

Microsoft accounts also frequently encounter applications requesting permissions through OAuth. Microsoft's permission system is comprehensive, covering a wide range of applications and extensions. An application might request very granular permissions for a specific service like Microsoft Teams, or it might request broader permissions across multiple Microsoft applications.

Unlike Google, Microsoft does not provide centralized, user-facing documentation that lists all possible app permissions. However, you can view every permission you have granted in the Microsoft account apps portal. Microsoft also has a guide on viewing, editing, and revoking permissions.

While Microsoft permissions might seem more complicated, most applications explain what they are requesting. Always read the permissions you are granting an application, and never agree without understanding them.

The following are common Microsoft OAuth scopes (permissions):

User.Read: Allows the application to read the user's profile information.
User.ReadWrite: Allows the application to read and write the user's profile information.
Mail.Read: Allows the application to read the user's email.
Mail.ReadWrite: Allows the application to read, create, update, and delete the user's email.
Calendars.Read: Allows the application to read the user's calendars.
Calendars.ReadWrite: Allows the application to read, create, update, and delete the user's calendars.
Files.Read: Allows the application to read the user's files.
Files.ReadWrite: Allows the application to read, create, update, and delete the user's files.

It's important to note that Microsoft has a wide range of permissions, and the specific ones an application requests will depend on its functionality. For example, a calendar application will likely request Calendars.ReadWrite permission, while a file management application will request Files.ReadWrite. You can find more detailed information on Microsoft OAuth permissions in the Microsoft Graph permissions reference.

Zoom Permissions

Zoom also uses OAuth to allow third-party applications to access Zoom resources. The permission system in Zoom is based on scopes (permissions), which define the actions an application can perform. These scopes can be granular, allowing applications to request very specific access.

Key features of Zoom OAuth permissions:

Scope Granularity: Zoom offers granular OAuth scopes, allowing developers to request very specific permissions. For example, a developer can request permission to "view all user meetings" (meeting:read:admin) or "update meeting settings" (meeting:write:admin) rather than broad, all-encompassing permissions.
Types of Scopes: Zoom has different levels of scopes, including user-level, admin-level, and master-level. User-managed apps can only request scopes that access an individual user's data, while admin-managed apps provide broader administrative capabilities.
Server-to-Server OAuth: Zoom supports Server-to-Server OAuth, which enables applications to access Zoom APIs without user interaction. This is useful for internal applications or integrations that need to access Zoom resources programmatically.

The following are common Zoom scopes (permission):

meeting:read:admin: View all user meetings.
meeting:write:admin: Create, edit, and delete all user meetings.
user:read:user: View a user's profile.
user:write:user: Edit a user's profile.
webinar:read:admin: View all user webinars.
webinar:write:admin: Create, edit, and delete all user webinars.

When authorizing a Zoom application, you'll be presented with a list of scopes the application is requesting. It is crucial to review these scopes to understand what the application will be able to do. For example, an application with the meeting:write:admin scope could potentially delete your scheduled meetings.

Learn more about Zoom OAuth scopes.

OAuth Resources

Keywords:

OAuth, permissions, Google, Google Drive, Google Workspace, UW-Madison, Authorization, Applications, third-party applications, MS365, M365, Microsoft, applets, Zoom, third-party apps, scope, read, write, calendar, drive, API,

Doc ID:

139033

Owned by:

UW-Madison Google Workspace in UW Google Apps

Created:

2024-08-09

Updated:

2025-05-23

Sites:

DoIT Help Desk, Google Apps

0 0 Comment Suggest new doc