πŸ” App Permissions & Scopes

SalesTim relies intensively on the Microsoft Graph API. Therefore it's important to understand its permissions model and basic requirements.

Delegated and Application Permissions

Microsoft Graph has two types of permissions:

  • Delegated permissions are used by apps that have a signed-in user present. For these apps either the user or an administrator consents to the permissions that the app requests and the app can act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented by non-administrative users, but some higher-privileged permissions require administrator consent.
  • Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.

Due to some Microsoft Graph functional and technical limitations, SalesTim now relies on a delegated permission model. In the future, SalesTim will switch to an aplication model.

Learn more about Authentication and authorization basics for Microsoft Graph...

Admin-restricted permissions

Depending on the permission type (Delegated or Application), some high-privilege permissions in the Microsoft ecosystem are set to admin-restricted. Examples of these kinds of permissions include the following:

  • Read all user's full profiles by using User.Read.All
  • Write data to an organization's directory by using Directory.ReadWrite.All
  • Read all groups in an organization's directory by using Groups.Read.All

For SalesTim to access data in Microsoft Graph, your administrator must grant it the correct permissions via a consent process.

See:

Required Permissions

For SalesTim to work properly and perform some administrative operations, it requires the following permissions:

Scope Usage Admin Consent Required
AppCatalog.ReadWrite.All Allows the app to create, read, update, and delete apps in the app catalogs.
Allows SalesTim to manage its "Targeted Apps" packages to your corporate store.
Yes
Directory.AccessAsUser.All Allows the app to have the same access to information in the directory as the signed-in user.
Allows SalesTim to find the relevant people involved in approval processes and perform advanced users security checks.
Yes
Group.ReadWrite.All Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.
Allows SalesTim to manage teams from Microsoft Teams and their underlying groups.
Yes
Mail.Send Allows the app to send mail as users in the organization.
Allows SalesTim to send some notification emails.
No
Notifications.ReadWrite.CreatedByApp Allow the app to deliver its notifications on behalf of signed-in users. Also allows the app to read, update, and delete the user’s notification items for this app.
Allows SalesTim to send some in-app notification in Microsoft Teams.
No
offline_access (OpenID) Allows the app to read and update user data, even when they are not currently using the app.
Allows SalesTim to perform operations in the background on behalf of a user.
No
profile (OpenID) Allows the app to see your users' basic profile (name, picture, user name).
Allows SalesTim to get current user basic profile.
No
Sites.FullControl.All Allows the app to have full control to SharePoint sites in all site collections on behalf of the signed-in user.
Allows SalesTim to manage teams from Microsoft Teams and their underlying SharePoint sites.
Yes
User.Read.All Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
Allows SalesTim to get current user profile properties and related teams. Also used for the "Templates Audience Targeting" feature.
No

Learn more with Microsoft Graph permissions reference...

Last Updated: 6/2/2019, 7:48:49 PM