Subscription and Permissions

Subscription Requirements

Microsoft Universal Print licenses for all subscribed users.
Microsoft Entra ID Account is required to access the Celiveo 365 subscription portal.
The used Microsoft Entra ID Account requires the following roles: (Information at: https://portal.azure.com/ > Microsoft Entra ID > Roles and administrator)
1. Print Administrator Role
  To validate user rights to manage MUP manage print queues. This ensures that the subscribing user can also deploy MUP queues.
2. Privileged Role Administrator Role
  To grant Celiveo Print Management Enterprise Application the rights to manage MUP print queues, print flow and read user metadata information from customer tenant.
  For more information about the detailed Application and Delegation Permissions check Required Permissions.
Valid working credit card or a coupon provided by Celiveo.

Required Permissions

The tables below describe the required permissions required by Celiveo 365 to interface with the customer tenant.

Application Permissions
Refers to a one time operation to grant Celiveo Print Management Enterprise Application the access to the customer tenant defined resources by a Privilege Role Administrator during the subscription process.
More information about the need for Privilege Role Administrator Role here.
Delegated Permissions
Refers to when users login to a Celiveo 365 service frontend like Celiveo Web Admin and Celiveo 365 uses their account to access customer tenant services on behalf of them. Often Delegated services are used in conjunction with Celiveo Print Management Enterprise Application (Application Permissions) to execute tasks.

Application Permissions

Area	API	Permission Name	Access Type	Description	Celiveo Workflow
Entra ID	Graph	Directory.Read.All	Read	Directory Data	Get Role Related Objects
Entra ID	Graph	GroupMember.Read.All	Read	All group membership	User Enrollment, Access Rules
Entra ID	Graph	Organization.Read.All	Read	Organization information	Subscription Portal, WA Customer Validation
Entra ID	Graph	RoleManagement.Read.Directory	Read	Directory RBAC settings	WA MUP Management, WA Access Rights
Entra ID	Graph	User.Read.All	Read	All user’s profile	User Enrollment
MUP	Graph	Printer.ReadWrite.All	Read, Write	Read and update printers (print queues)	WA MUP Management
MUP	Graph	PrintJob.Manage.All	Read, Update	Perform advanced operations on print jobs	MUP Printing Workflow
MUP	Graph	PrintJob.ReadWrite.All	Read, Write	Print jobs	MUP Printing Workflow
MUP	Graph	PrintTaskDefinition.ReadWrite.All	Read, Write, Update	Print task definitions	MUP Printing Workflow
MUP	MUP	PrinterProperties.ReadWrite	Read, Write	Property and attribute of printers	WA MUP Management
MUP	MUP	Printers.Read	Read	Read printers	WA MUP Management
MUP	MUP	PrintJob.Read	Read	Metadata and payload of users’ print jobs.	MUP Printing Workflow
MUP	MUP	PrintJob.ReadWriteBasic	Read,Write	Metadata of users’ print jobs.	MUP Printing Workflow

Delegated Permissions

Area	API	Permission Name	Access Type	Description	Celiveo Workflow
Entra ID	Graph	Email	Read, View	View user’s primary email address	Celiveo Portals
Entra ID	Graph	Group.Read.All	Read	Signed in user’s groups	WA Access Rights
Entra ID	Graph	OpenID	N/A	Sign user in	Celiveo Portals Access
Entra ID	Graph	Profile	Read	View users’ basic profile	Celiveo Portals
Entra ID	Graph	User.Read	Sign in and Read	User’s profile	WA Logged in User Attributes
Entra ID	Graph	User.Read.All	Sign in and Read	All User’s profile	WA User Admin Management
MUP	Graph	Printer.Create	Create, Write	Printers (Print Queues)	WA MUP Management
MUP	Graph	Printer.ReadWrite.All	Read, Write	Read and update printers (print queues)	WA MUP Management
MUP	Graph	PrinterShare.ReadWrite.All	Read, Write	Read and write printer shares	WA MUP Management
MUP	MUP	Printers.Create	Write	Create new printers	WA MUP Management
N/A	Graph / MASL	Offline_access	Renew Token	Refresh auth token with refresh token	Celiveo Print-Mobile, Print-Web, My Celiveo

Manage Your Subscription Portal

Once the subscription process is done the access to the portal at https://subscribe.celiveo365.com/ is available to users with the following roles:

Role	Access Type	Subscription Details	Active Users	Payment and Invoices	Billing Information
Print Administrator	Read Only	●	●
Billing Administrator	Read and Write to Billing			●	●
Privilege Role Administrator	Read and Write to Subscription and Billing	●	●	●	●
Global Administrator	Read and Write to Subscription and Billing	●	●	●	●

Verifying the access to Microsoft Universal Print

Celiveo 365 administrators need access rights to Microsoft Universal Print.
It is strongly recommended to verify that access directly in Azure portal:
- Connect to https://portal.azure.com using the same account that will be used to login on Celiveo 365 portal
- Open the Universal Print application
- Open the “Printers” blade
If you see a screen with no error message then that account has the needed rights to manage Universal Print queues from the Celiveo 365 WebAdmin portal.
If you see an error screen telling you that account lacks the proper rights and/or license, contact your IT to resolve that Microsoft EntraID configuration, until the printers list appears without any error message.

Manage Administrators Access to Web Admin Portal

Any user with Entra ID Global Administrator Role or Privilege Role Administrator Role has super admin access to the Web Admin. The best practices dictate that super admins should delegate admin rights to specific users or Entra ID OU/Groups, these delegated admins do not require Entra ID Global Administrator Role or Privilege Role Administrator Role. further can be found in the Manage Administrators via OU/Groups.
Admins that synchronize Microsoft Universal Print Queues require Print Administrator Role.

Last modified: 16 September 2024

Feedback

Post your comment on this topic.