Architecture

Microsoft 365

LiveTiles Intranet Workspaces has two layers. One layer is client side, and consists of a SharePoint Framework app that you need to deploy to your tenant's app catalog and install anywhere you want to use the LiveTiles Intranet Workspaces functionality. The second layer is server side, hosted and managed by LiveTiles in Azure. This is where your workspace configurations are stored and where the workspace provisioning logic is executed.

Architecture Overview LiveTiles Intranet Workspaces

Low Trust vs. High-Trust

LiveTiles Intranet Workspaces creates new SharePoint Online sites and eventually provisions content onto these newly created workspaces. Therefore it needs the necessary permissions to be able to run provisioning jobs in the background in the context of an background service. There are two possibilities to do that:

High-Trust

The simplest way is called the High-Trust scenario, where the app gets Full Control permissions of all sites in the tenant.

Low-Trust

An alternative way is to give access only to a subset of selected sites using the Sites Selected permission level. After a user or admin requires a new workspace a PowerShell Script can be downloaded that can be executed by an IT administrator. In this manual step, the site for the new workspace gets created and is added to the selected sites that the LiveTiles apps are allowed to access.

LiveTiles Intranet Workspaces needs two sets of permissions consented by an administrator in the customers organization.

Azure Active Directory application permissions

LiveTiles Intranet Provisioning API
SharePoint
  • Application: Sites.FullControl.All - Have full control of all site collections
    Required in order to apply provisioning templates.
Microsoft Graph
  • Delegated: offline_access - Maintain access to data you have given it access to
  • Delegated: openid - Sign users in
  • Delegated: profile - View users' basic profile
LiveTiles Intranet Workspaces API
SharePoint
  • High-Trust
    • Application: Sites.FullControl.All - Have full control of all site collections
      Required in order to create new site collections and manage metadata for workspaces.
  • Low-Trust:
    • Application: Sites.Selected - Have full control of a selected number of site collections.
Microsoft Graph
  • Application: User.Read.All - Read all users' full profiles
  • Application: Group.Read.All - Read all groups
  • Application: Group.ReadWrite.All - Read and write all groups
  • Application: Group.Create - Create groups
    Required to create and maintain modern sites that are connected to O365 groups
  • Delegated: offline_access - Maintain access to data you have given it access to
  • Delegated: openid - Sign users in
  • Delegated: profile - View users' basic profile

Microsoft Graph permissions reference

LiveTiles Intranet Provisioning
  • Delegated: userimpersonation - Access LiveTiles Intranet Provisioning _Required to allow the LiveTiles Intranet Workspaces API to access the LiveTiles Intranet Provisioning API as the currently logged in user.
LiveTiles Intranet Metadata
  • Delegated: userimpersonation - Access LiveTiles Intranet Metadata
    _Required to allow the LiveTiles Intranet Workspaces API to access the LiveTiles Intranet Metadata API as the currently logged in user.
OverviewMicrosoft 365