Cloud Drive Mapper (CDM) and Microsoft Entra ID permissions
Microsoft recommends that all third-party software integrations use the Microsoft Entra ID Enterprise Application system. This provides Microsoft customers with greater visibility and control over how applications and add-ons interact with their Microsoft 365 tenancy.
Delegated permissions
Microsoft Entra ID Enterprise App permissions used by CDM are 'delegated' permissions. This means that your Microsoft 365 tenancy data cannot be accessed by IAM Cloud or our cloud service. CDM is a desktop client which, with its delegated permissions, can act on behalf of the signed-in user. This means that CDM can only do what the signed-in user would be able to do manually. Therefore, CDM is not granting the user any enhanced privileges, and it is not able to act outside of the control or active session of the signed-in user.
CDM provides you with a connection between your Windows desktop/Virtual Desktop Infrastructure (VDI) session and Microsoft 365 account (including OneDrive and SharePoint team sites that you have permission to access) secured by your Microsoft Authentication Library (MSAL) authenticated session. Essentially, CDM is a secure web browser, but for files. No data can leave the session between your computer and Microsoft 365 account.
| Permission | Description |
|---|---|
| Microsoft Graph | |
| Channel.ReadBasic.All | This permission is used to read the names and descriptions of channels. |
| Files.ReadWrite.All | This permission is used to write cache data to a user's OneDrive profile. With this permission enabled, the drive mapping process becomes much faster, which allows users to switch between computers while maintaining the same list of drives. Additionally, this permission also allows users' own managed devices to follow them from one computer to another. |
| GroupMember.Read.All | This permission is used to read group memberships. |
| Offline_access | This permission is used to reduce the number of authentications between sessions. |
| Openid | This permission allows CDM to validate user sessions when they sign in. |
| Sites.Read.All | This permission is used for validating that the user has permissions to the drive that they are about to map. This does not include all sites in the tenancy. Instead, it includes only those sites that the user already has access to. This permissions also allows CDM to confirm that the drive users want to map is actually available to them, so as to avoid mapping a drive that will not work. |
| Team.ReadBasic.All | This permission is used to read the names and descriptions of teams. |
| User.Read | This permission grants CDM privileges to read the profile of the signed-in user only. |
| SharePoint | |
| AllSites.Read | This permission allows CDM to read items in all site collections. |
