June 28th Update: Accept the one-time permissions request when logging in via Microsoft SSO
Update as of June 28, 2023:
Smartsheet has migrated away from the deprecated Azure Active Directory (AD) Graph service to the new Microsoft Graph service effective today, June 27, 2023.
Please accept the one-time permissions request when using Microsoft SSO to ensure a successful login and continued access to Smartsheet. If you are an Azure Administrator, please check the additional checkbox option to consent to the permissions on behalf of your entire organization or grant admin consent for Smartsheet directly from Azure.
For more context, please read the advanced notice communications below.
Advanced notice communications:
Hi Community,
On June 28, 2023, Smartsheet will be migrating away from the deprecated Azure Active Directory (AD) Graph service to the new Microsoft Graph service.
What this means for you: If you are attempting to log into Smartsheet using Microsoft Single Sign-On (SSO) on or after June 28, 2023, you will see a one-time permissions request, which you must accept to successfully log in and access your underlying Smartsheet instance. Failure to accept these permissions will result in an unsuccessful login attempt via Microsoft SSO.
If you are an Azure Administrator:
- You will also be provided with an additional checkbox option to consent to the permissions on behalf of your entire organization. We strongly encourage you to check this box when accepting the new permissions so that others in your organization can continue to access Smartsheet without interruption via Microsoft SSO.
- Azure Admins can also grant admin consent for Smartsheet for different enterprise applications directly from Azure. To do so, follow this navigation path: Azure Home > Enterprise Apps > Search for "Smartsheet" > click on "Grant admin consent for Smartsheet"
Please note:
- You have previously consented to the same permissions for utilizing Microsoft SSO to log into Smartsheet via the Azure Graph service. We simply need to resurface the consent form because we’re migrating to the new Microsoft Graph service.
- You may also be prompted with the permissions request form if you attempt to authenticate into Smartsheet using Microsoft SSO from other third-party apps/integrations. If you encounter this situation, please accept the request to ensure uninterrupted access to your Smartsheet assets.
This change impacts all users utilizing login via Microsoft SSO in Free, Pro, Business, Enterprise, Premier, and legacy plans (Individual, Basic, Advanced - Legacy, Team, and Enterprise - Legacy), including free collaborators, unlicensed users, and Trial users.
To see the Microsoft announcement regarding the deprecation of the Azure AD Graph service, click here. We will update this community post when we officially migrate to the Microsoft Graph service. You can also stay informed by subscribing to receive product release updates for curated news of recently released product capabilities and enhancements for the platform of your choosing, delivered to your inbox. As new releases occur, you will receive a weekly email with news of what's released every Tuesday.
Best regards,
The Smartsheet Product Team
Product screenshots
1. Permissions request form for Azure administrators:
2. Azure consent flow for Azure admins:
Comments
-
Hi, will this email for permission be coming from our internal IT team or will it be coming from Microsoft or Smartsheet?
-
Which "Smartsheet" Enterprise application, can you provide the Application ID? Thank you.
-
Will this also occur for those using same sign-on (logging in using the Microsoft login button that recognizes O365 credentials)? Or just Single Sign On/SSO?
-
@InnoceanKP the article makes it sound like it will be a prompt that pops up for all users (so Smartsheet) but that the Azure Administrator could accept this on behalf of users and nothing else would pop up. I could've misinterpreted the article though.
Good questions all around though, hopefully we'll hear something back on this channel soon.
-
I received the email last night from productinfo@smartsheet.com and I am not a sys admin. In reading this, it sounds like it will only impact users of the desktop app but I have a call into our rep to clarify.
-
Only some of our users received this email, not all. Why? Just need to understand if this affects everyone or not. Kind of late if it affects everyone.
-
Hi @InnoceanKP - when a user attempts to log into Smartsheet using Microsoft SSO, then Microsoft will be the one to prompt the permissions request form on the screen (it will not be an email). Once the permissions are accepted, then the user can access Smartsheet. Let me know if you have any further questions.
-
Hi @whynotpizza - to get the list of application IDs, please submit a support ticket and a team member will get back to you.
-
Hi @Jen M. - Can you please elaborate on your question? What do you mean by the login button that recognizes the O365 credentials?
-
Hi @aamanley - The permissions request prompt will be displayed when logging into Smartsheet, but it will be Microsoft pushing the prompt. Let me know if you have any questions.
-
Hi @scot tupper - Individual users will also be prompted with the permissions request form if they attempt to log into Smartsheet with Microsoft SSO after we complete the migration. However, if an Azure Admin consents on behalf of the entire org beforehand, then individual users will not receive the prompt. Please note that Azure Admins can even consent for the org before or after the migration occurs on June 28th.
Do let me know if you have any further questions.
-
@Pam Ferguson - The advanced notice email went out to all users who have logged into Smartsheet at least once in the last 60 days and used Microsoft SSO for authentication. This will impact any user who attempts to log into Smartsheet using Microsoft SSO after we complete the migration on June 28th (as mentioned in the post above) and they will receive a permissions request prompt from Microsoft. After accepting the prompt, they can successfully log into Smartsheet. Please let me know if you have any further questions. Additionally, Azure Admins can even consent for the org before or after the migration occurs on June 28th.
-
I am an Azure Admin and just went in to grant admin consent for the Enterprise application. It is now showing but the permission details show the Resource Application as Azure Active Directory. Is that correct? Should there be an indication that access is granted for Microsoft Graph?
-
My Azure Admins & InfoSec Teams are saying that the amount of permissions Smartsheet is requesting with this new change are higher than previously and wondering if those can be changed to Sign In and Read Profile.
Who can my team talk with at Smartsheet about this?
-
@cebert - For any new users (i.e., anyone who has not previously authenticated into Smartsheet using Microsoft SSO), the permissions requested will be all the ones shown in the screenshot below. (We've included the permissions consent form and the corresponding permissions with their descriptions).
However, for returning users (i.e., anyone who has already authenticated into Smartsheet via Microsoft SSO before but is attempting to log in after we do the migration), the only permission requested is User.Read from Microsoft Graph API, which is replacing the current User.Read from Azure AD Graph API. User.Read is for signing in and reading the user profile.
Please let me know if you have any further questions.
