Citrix Cloud

Azure Active Directory Permissions for Citrix Cloud

This article describes the permissions that Citrix Cloud requests when connecting and using Azure Active Directory (AD). Depending on how Azure AD is used with the Citrix Cloud account, one or more enterprise applications might be created in the target Azure AD tenant. You can connect multiple Citrix Cloud accounts to one Azure AD tenant and use the same enterprise applications, without creating a set of applications for each account.

Enterprise applications

Name Application ID Usage
Citrix Cloud e95c4605-aeab-48d9-9c36-1a262ef8048e Workspace subscriber login
Citrix Cloud f9c0e999-22e7-409f-bb5e-956986abdf02 Default connection between Azure AD and Citrix Cloud
Citrix Cloud 1b32f261-b20c-4399-8368-c8f0092b4470 Administrator invitations; administrator logins
Citrix Cloud 5c913119-2257-4316-9994-5e8f3832265b Default connection between Azure AD and Citrix Cloud with Citrix Endpoint Management
Citrix Cloud e067934c-b52d-4e92-b1ca-70700bd1124e Legacy connection between Azure AD and Citrix Cloud with Citrix Endpoint Management

Workspace subscriber login

The Citrix Cloud application (ID: e95c4605-aeab-48d9-9c36-1a262ef8048e) uses the same permissions for both the Microsoft Graph and the Windows Azure Active Directory resource applications.

API Name Claim Value Permission Name Type
Microsoft Graph User.Read Sign in and read user profile Delegated
Windows Azure Active Directory User.Read Sign in and read user profile Delegated

Default connection between Azure AD and Citrix Cloud

The Citrix Cloud application (ID: f9c0e999-22e7-409f-bb5e-956986abdf02) uses the following permissions:

API Name Claim Value Permission Type
Microsoft Graph Group.Read.All Read all groups Delegated
Microsoft Graph User.ReadBasic.All Read all users’ basic profiles Delegated
Microsoft Graph User.Read.All Read all users’ full profiles Delegated
Microsoft Graph User.Read Sign in and read user profile Delegated
Microsoft Graph Group.Read.All Read all groups Application
Microsoft Graph Directory.Read.All Read directory data Application
Microsoft Graph User.Read.All Read all users’ full profile Application
Microsoft Graph User.Read Sign in and read user profile Application
Windows Azure Active Directory User.Read Sign in and read user profile Delegated
Windows Azure Active Directory User.ReadBasic.All Read all users’ basic profile Delegated
Windows Azure Active Directory Group.Read.All Read all groups Delegated
Windows Azure Active Directory Directory.Read.All Read directory data Application

Administrator invitations and logins

The Citrix Cloud application (ID: 1b32f261-b20c-4399-8368-c8f0092b4470) uses the following permissions:

API Name Claim Value Permission Name Type
Microsoft Graph User.Read Sign in and read user profile Delegated
Microsoft Graph User.ReadBasic.All Read all users’ basic profiles Delegated
Windows Azure Active Directory User.Read Sign in and read user profile Delegated
Windows Azure Active Directory User.ReadBasic.All Read all users’ basic profile Delegated

Default connection between Azure AD and Citrix Cloud with Endpoint Management

The Citrix Cloud application (ID: 5c913119-2257-4316-9994-5e8f3832265b) uses the following permissions:

API Name Claim Value Permission Name Type
Microsoft Graph Group.Read.All Read all groups Delegated
Microsoft Graph User.ReadBasic.All Read all users’ basic profiles Delegated
Microsoft Graph User.Read Sign in and read user profile Delegated
Microsoft Graph Directory.Read.All Read directory data Application
Microsoft Graph Directory.Read.All Read directory data Delegated
Microsoft Graph DeviceManagementApps.ReadWrite.All Read and write Microsoft Intune apps Delegated
Microsoft Graph Directory.AccessAsUser.All Access directory as the signed-in user Delegated

Legacy connection between Azure AD and Citrix Cloud with Endpoint Management

The Citrix Cloud application (ID: e067934c-b52d-4e92-b1ca-70700bd1124e) uses the following permissions:

API Name Claim Value Permission Name Type
Microsoft Graph Group.Read.All Read all groups Delegated
Microsoft Graph User.ReadBasic.All Read all users’ basic profiles Delegated
Microsoft Graph User.Read Sign in and read user profile Delegated
Microsoft Graph DeviceManagementApps.ReadWrite.All Read and write Microsoft Intune apps Delegated
Microsoft Graph Directory.AccessAsUser.All Access directory as the signed-in user Delegated

Permissions

API Name

There are two resource applications from which Citrix Cloud requests permissions: Microsoft Graph and Windows Azure Active Directory, listed under API Name. Citrix Cloud requests the same permissions from both resource applications.

Type

There are two levels of access that Citrix Cloud can request for a permission: Delegated and Application, listed under Type.

  • Delegated permissions are used to act on behalf of a signed-in user, such as when querying the profile of the user.
  • Application permissions are used when the application performs an action without the user’s presence, such as querying users within a particular group. This permission type requires consent of a Global Administrator in Azure AD.

Claim Value

Azure AD assigns string values to permissions, listed under Claim Value. You can find descriptions of specific claim values in the following table:

Name Description
User.Read Allows Citrix Cloud administrators to add users from the connected Azure AD as administrators on the Citrix Cloud account.
User.ReadBasic.All Gathers basic info from the user’s profile. It’s a subset from User.Read.All but the permission itself remains for backwards compatibility.
User.Read.All Citrix Cloud calls https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http to enable browsing and selection of users from the customer’s connected Azure AD. For example, users from Azure AD can be given access to a Virtual Apps and Desktops resource with the workspace. Citrix Cloud can’t use User.ReadBasic.All as Citrix Cloud needs to access properties outside of the basic profile such as onPremisesSecurityIdentifier.
Group.Read.All Citrix Cloud calls https://docs.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=http to allow browsing and selection of groups from the customer’s connected Azure AD. For example, groups from Azure AD can also be granted access to Virtual Apps and Desktops applications.
Directory.Read.All Citrix Cloud calls https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http to get the user’s group membership as Groups.Read.All is not sufficient.
DeviceManagementApps.ReadWrite.All Allows Citrix Cloud to read and write the properties, group assignments, status of apps, app configurations, and app protection policies managed by Microsoft Intune.
Directory.AccessAsUser.All Allows Citrix Cloud to have the same access to information in the directory as the signed-in user.
Azure Active Directory Permissions for Citrix Cloud