Office 365 permissions required for the Teacher Dashboard app

When you install the Teacher Dashboard app on your Office 365 instance, you are required to grant certain permissions to allow the app to interact with your data. This can only be done by someone who is a tenant administrator on your Office 365 instance. The permission screen looks like the screenshot below:

The level of permissions that Teacher Dashboard requests is quite high, but represents the minimum amount necessary for the current feature set and for the features we will be introducing in the near future. Some of the specific permissions required are:
  • Read and write all groups - This permission is required for Teacher Dashboard’s AAD sync feature, which allows you to sync all of your groups in Azure Active Directory into TD, saving you from having to set them up and maintain them manually. This is a oneway sync process from AAD => TD, as there is no ‘write’ back to your AAD instance. In the future Teacher Dashboard administrators will be able to sync any of the groups/classes they created in TD back to AAD, but this will be disabled by default and will require your Teacher Dashboard Administrator to enable it f required.
  • Read and write directory data - This permission is required for Teacher Dashboard’s User sync feature, which allows you to sync all of your AAD users with TD. This is a oneway sync process from AAD => TD, as there is no ‘write’ back to your AAD instance.
  • Read and write managed metadata - This permission allows us to get basic information about your SharePoint instance, such as the name of SharePoint sites. We do not write any metadata back. All TD sync operations are read operations and we do not write any metadata back to AAD.

Data security is at the forefront of the design and management processes around Teacher Dashboard, and is supported by:

  • Secure authentication - Teacher Dashboard 365 is fully integrated with Office365 secure authentication and access control.
  • Secure information handling - the product and support operations are covered by our ISO27001 data security accreditation, which is monitored and certified by the British Standards Institution.
  • Secure data storage - your data resides within your secure Office 365 environment.
  • Strong policies on OneDrive visibility - by design, teachers can only view the OneDrives of the students in their classes. By default, they can only see the data that is controlled by Teacher Dashboard (i.e data stored under the Teacher Dashboard root folder). If Teachers want to view the entire contents of their students' OneDrives, the Tenant Administrator for your Office 365 instance can request this setting to be enabled.
  • Separation of schools - the Multischool feature in Teacher Dashboard allows districts that have multiple schools using the same Office 365 instance to separate out each school into its own Teacher Dashboard instance. Admins, teachers and students at one school cannot see any of the users or data from another school even though their Office 365 instance is the same.
  • Granular permissioning levels - students, teachers and administrators all have separate roles within Teacher Dashboard, which determines what they can and can't see and do. Teacher Dashboard administrators can manage these permissions.

What data is stored in Teacher Dashboard?

Data storage in Teacher Dashboard is intentionally kept very light. We store the bare minimum to be able to link students and teachers to the groups/classes created in Teacher Dashboard, and includes the following:

  • the user’s Office 365 ID and Office 365 name
  • static data that a teacher or admin sets up (such as marking formats, subjects, group name/desc; class name/desc
  • metadata that is created when a teacher creates an assignment

When OneDrive documents are shared or sent out as assignments, they are transferred from a Teacher’s OneDrive to a Student’s OneDrive (and the opposite when assignments are collected).