Microsoft Entra ID Permissions for Citrix Cloud™
This article describes the permissions that Citrix Cloud requests when connecting and using Microsoft Entra ID (ME-ID). Depending on how Microsoft Entra ID is used with the Citrix Cloud account, one or more enterprise applications might be created in the target Microsoft Entra ID tenant. You can connect multiple Citrix Cloud accounts to one Microsoft Entra ID tenant and use the same enterprise applications, without creating a set of applications for each account.
Note:
As of April 2022, the Microsoft Entra ID app that Citrix Cloud uses to connect your Microsoft Entra ID was updated to use the GroupMember.Read.All permission instead of the Group.Read.All permission. If you have an existing Microsoft Entra ID connection (before April 2022) and you want the app to use the new permission, you must disconnect and then reconnect your Microsoft Entra ID to Citrix Cloud. This action ensures your account is using the latest Microsoft Entra ID app in Citrix Cloud. For more information, see Reconnect to Microsoft Entra ID for the upgraded app.
If you choose not to update the app, your existing connection still functions normally.
Enterprise applications
The following table lists the Microsoft Entra ID enterprise applications that Citrix Cloud uses when connecting and using Microsoft Entra ID and the purpose for which each application is used.
| Name | Application ID | Usage |
|---|---|---|
| Citrix Cloud | e95c4605-aeab-48d9-9c36-1a262ef8048e | Workspace subscriber login |
| Citrix Cloud | f9c0e999-22e7-409f-bb5e-956986abdf02 | Default connection between Microsoft Entra ID and Citrix Cloud |
| Citrix Cloud | 1b32f261-b20c-4399-8368-c8f0092b4470 | Administrator invitations and logins |
| Citrix Cloud | 5c913119-2257-4316-9994-5e8f3832265b | Default connection between Microsoft Entra ID and Citrix Cloud with Citrix Endpoint Management™ |
| Citrix Cloud | e067934c-b52d-4e92-b1ca-70700bd1124e | Legacy connection between Microsoft Entra ID and Citrix Cloud with Citrix Endpoint Management |
Permissions
The permissions in Citrix Cloud’s enterprise applications allow Citrix Cloud to access certain data in your Microsoft Entra ID tenant. Citrix Cloud uses these data to perform specific functions such as connecting to your Microsoft Entra ID tenant, enabling administrators to sign in to Citrix Cloud using a dedicated sign-in URL, and connecting your Microsoft Entra ID tenant with Endpoint Management. Citrix Cloud can only access these data with your consent. These permissions represent the least amount of privilege that Citrix Cloud needs to function with your Microsoft Entra ID. For more information about Microsoft Entra ID permissions and consent, see Permissions and consent in the Microsoft identity platform on the Microsoft Azure documentation web site.
In this article, each set of Microsoft Entra ID application permissions includes the following information:
- API Name: The resource applications from which Citrix Cloud requests permissions. These applications are Microsoft Graph and Windows Microsoft Entra ID. Citrix Cloud requests the same permissions from both of these resource applications.
-
Type: The levels of access that Citrix Cloud requests for a given permission. Permissions in a given enterprise application can have one of the following access levels:
- Delegated permissions are used to act on behalf of a signed-in user, such as when querying the profile of the user.
- Application permissions are used when the application performs an action without the user’s presence, such as querying users within a particular group. This permission type requires consent of a Global Administrator in Microsoft Entra ID.
-
Claim Value: The string of information that Microsoft Entra ID assigns to a given permission. Permissions in a given enterprise application can have one of the following claim values:
- User.Read: Allows Citrix Cloud administrators to add users from the connected Microsoft Entra ID as administrators on the Citrix Cloud account.
- User.ReadBasic.All: Gathers basic info from the user’s profile. It’s a subset from User.Read.All but the permission itself remains for backwards compatibility.
-
User.Read.All: Citrix Cloud calls List users in Microsoft Graph to enable browsing and selection of users from the customer’s connected Microsoft Entra ID. For example, users from Microsoft Entra ID can be given access to a Citrix DaaS resource with the workspace. Citrix Cloud can’t use
User.ReadBasic.Allas Citrix Cloud needs to access properties outside of the basic profile such asonPremisesSecurityIdentifier. - GroupMember.Read.All: Citrix Cloud calls List groups in Microsoft Graph to allow browsing and selection of groups from the customer’s connected Microsoft Entra ID. For example, groups from Microsoft Entra ID can also be granted access to Citrix DaaS applications.
-
Directory.Read.All: Citrix Cloud calls List memberOf in Microsoft Graph to get the user’s group membership as
Groups.Read.Allis not sufficient. - DeviceManagementApps.ReadWrite.All: Allows Citrix Cloud to read and write the properties, group assignments, status of apps, app configurations, and app protection policies managed by Microsoft Intune.
- Directory.AccessAsUser.All: Allows Citrix Cloud to have the same access to information in the directory as the signed-in user.
Note:
The Directory.Read.All is applicable only for Default connection between Microsoft Entra ID and Citrix Cloud with Endpoint Management.
Workspace subscriber login
This Citrix Cloud application (ID: e95c4605-aeab-48d9-9c36-1a262ef8048e) uses the following permissions:
| API Name | Claim Value | Permission Name | Type |
|---|---|---|---|
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated |
Default connection between Microsoft Entra ID and Citrix Cloud
This Citrix Cloud application (ID: f9c0e999-22e7-409f-bb5e-956986abdf02) uses the following permissions:
| API Name | Claim Value | Permission | Type |
|---|---|---|---|
| Microsoft Graph | GroupMember.Read.All | Read all groups | Delegated |
| Microsoft Graph | User.ReadBasic.All | Read all users’ basic profiles | Delegated |
| Microsoft Graph | User.Read.All | Read all users’ full profiles | Delegated |
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated |
| Microsoft Graph | GroupMember.Read.All | Read all groups | Application |
| Microsoft Graph | User.Read.All | Read all users’ full profile | Application |
Administrator invitations and logins
This Citrix Cloud application (ID: 1b32f261-b20c-4399-8368-c8f0092b4470) uses the following permissions:
| API Name | Claim Value | Permission Name | Type |
|---|---|---|---|
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated |
| Microsoft Graph | User.ReadBasic.All | Read all users’ basic profiles | Delegated |
Default connection between Microsoft Entra ID and Citrix Cloud with Endpoint Management
This Citrix Cloud application (ID: 5c913119-2257-4316-9994-5e8f3832265b) uses the following permissions:
| API Name | Claim Value | Permission Name | Type |
|---|---|---|---|
| Microsoft Graph | GroupMember.Read.All | Read all groups | Delegated |
| Microsoft Graph | User.ReadBasic.All | Read all users’ basic profiles | Delegated |
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated |
| Microsoft Graph | Directory.Read.All | Read directory data | Application |
| Microsoft Graph | Directory.Read.All | Read directory data | Delegated |
| Microsoft Graph | DeviceManagementApps.ReadWrite.All | Read and write Microsoft Intune apps | Delegated |
| Microsoft Graph | Directory.AccessAsUser.All | Access directory as the signed-in user | Delegated |
Legacy connection between Microsoft Entra ID and Citrix Cloud with Endpoint Management
This Citrix Cloud application (ID: e067934c-b52d-4e92-b1ca-70700bd1124e) uses the following permissions:
| API Name | Claim Value | Permission Name | Type |
|---|---|---|---|
| Microsoft Graph | GroupMember.Read.All | Read all groups | Delegated |
| Microsoft Graph | User.ReadBasic.All | Read all users’ basic profiles | Delegated |
| Microsoft Graph | User.Read | Sign in and read user profile | Delegated |
| Microsoft Graph | DeviceManagementApps.ReadWrite.All | Read and write Microsoft Intune apps | Delegated |
| Microsoft Graph | Directory.AccessAsUser.All | Access directory as the signed-in user | Delegated |
In this article
- Enterprise applications
- Permissions
- Workspace subscriber login
- Default connection between Microsoft Entra ID and Citrix Cloud
- Administrator invitations and logins
- Default connection between Microsoft Entra ID and Citrix Cloud with Endpoint Management
- Legacy connection between Microsoft Entra ID and Citrix Cloud with Endpoint Management