How to reduce the permissions to the AskCody Azure AD Integration

A step-by-step guide on how to update your Azure AD integration to reduce the permissions to data points.

Info
This article is relevant for organizations that have been using AskCody's Azure AD Integration prior to April 27, 2023.

The AskCody Enterprise Application for Azure AD has been updated, and it is now possible to access the data it requires from Azure AD with reduced permissions.

What has changed

The AskCody enterprise application no longer requires permissions to:

Directory.Read.All (Delegated)
Directory.Read.All (Application)

These two permissions will be replaced with:

Group.Read.All (Delegated)
Groups.Read.All (Application)
GroupMember.Read.All (Application)
User.Read.All (Delegated)

How to update the permissions

In order to update the application permissions, a Global Admin must go into Azure Active Directory and follow these steps:

  1. Go to Microsoft Azure's portal (https://portal.azure.com)
  2. Locate the Azure Active Directory icon, and click on it
  3. Navigate to the Enterprise Applications section of your organization's Azure Active Directory. You should be able to find this on the navigation panel at the left of your screen.
  4. Locate the corresponding AskCody app and click on it
    1. For EU customers, the app name is "AskCody"
    2. For US customers, the app name is "GoAskCody"
  5. On the left panel, find "Permissions" and click on it
  6. At the top, you should see a button with the text "Grant admin consent for AskCody/GoAskCody". Click on it.
  7. You will be taken through a consent flow, where you can review the permissions that the app will have (you will see a list of all the permissions), and should notice that the "Directory.Read.All" ones are no longer in the list. When done reviewing, you can simply click on "Accept" at the bottom
  8. After a few seconds, your AskCody application should have the permissions updated, and will no longer require the Directory.Read.All ones. You may need to wait a few seconds and reload the current permissions page to see the changes applied.

Here's a video with the steps highlighted above: