Table of Contents
OAuth secures authentication and authorization
Permissions requested from production
Detailed permissions descriptions
Overview
This article contains security information relative to Simpplr's Microsoft Teams integration. For setup and usage instructions on the integration, check out this article.
It's important to note that in order to access data, Simpplr uses "delegated access" [Delegated Access = “Access on behalf of a user”].
Application access is used only to create the custom app with no user data access.
Simpplr does not require your org's Microsoft Global Admin to connect and enable the integration before anyone else. Any user with the Teams Administrator or Application Administrator roles in Microsoft can set up and configure the integration.
However, a Global Admin is needed to log into the admin centre and provide consent for custom app permissions.
Note:
The requested permission scopes can seem alarming as they mention "all users." The Microsoft-generated consent screen should ideally clarify that the permissions are granted “on behalf of the signed-in user,” but this phrasing is missing.OAuth secures authentication and authorization
- Simpplr accesses MS Teams as the user, never as a Global Administrator.
- Users need to explicitly give Simpplr permission to access MS Teams.
- The Global Administrator (GA) must approve this user request by granting consent.
- This consent is done once and applies to all users, with the GA choosing to “consent on behalf of the organisation.”
- All actions performed in MS Teams are logged by Microsoft as actions taken by Simpplr on behalf of the specific user.
Permissions requested from production
-
Maintain access to data you have given it access to
-
Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions.
-
-
Read all users' full profiles
-
Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on your behalf.
-
-
Read the names and descriptions of teams
-
Read the names and descriptions of teams, on your behalf.
-
-
Read the names and descriptions of channels
-
Read channel names and channel descriptions, on your behalf.
-
-
Send channel messages
-
Allows the app to send channel messages in Microsoft Teams, on your behalf.
-
-
Read all app catalogs
-
Allows the app to read apps in the app catalogs.
-
-
Read all groups
-
Allows the app to list groups, and to read their properties and all group memberships on your behalf. Also allows the app to read calendar, conversations, files, and other group content for all groups you can access.
-
-
Submit application packages to your organization's catalog and cancel pending submissions
-
Allows the app to submit application packages to the catalog and cancel submissions that are pending review on your behalf.
-
-
Read and write to all app catalogs
-
Allows the app to create, read, update, and delete apps in the app catalogs.
-
BYOA (Bring your own app)
- For the Teams BYOA integration, we utilized the ‘custom app’ option, allowing users to personalize their Teams app with their own logos and names.
- Microsoft uses two main constructs for integrating with MS Teams: 'Custom app' and 'Bot.'
- The custom app is available within the organisation, but for programmatic access, a 'Bot' is used.
- Since the bot is shared across all customers, there’s no way to customise permissions for individual customers.
Detailed permissions descriptions
|
No. |
Name |
Type |
Detailed description |
|
1 |
Channel.ReadBasic.All |
Delegated |
Read channel names and channel descriptions, on behalf of the signed-in user. |
|
2 |
ChannelMessage.Send |
Delegated |
Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user. |
|
3 |
|
Delegated |
Allows the app to read your users' primary email address |
|
4 |
offline_access |
Delegated |
Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
|
5 |
openid |
Delegated |
Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. |
|
6 |
Team.ReadBasic.All |
Delegated |
Read the names and descriptions of teams, on behalf of the signed-in user. |
|
7 |
User.Read.All |
Delegated |
Allows the app to read the full set of profile properties, reports, and managers of other users in your organisation, on behalf of the signed-in user. |
|
8 |
AppCatalog.Submit
|
Delegated |
Allows the app to submit application packages to the catalog and cancel submissions that are pending review on behalf of the signed-in user
|
|
9 |
AppCatalog.ReadWrite.All
|
Delegated |
Allows the app to create, read, update, and delete apps in the app catalogs without a signed-in user
|
|
10 |
TeamsAppInstallation. ReadWriteForTeam.All |
Application |
Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. |
|
11 |
TeamsAppInstallation. ReadWriteForUser.All |
Application |
Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. |
|
12 |
TeamsAppInstallation. ReadWriteSelfForTeam.All |
Application |
Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. |
|
13 |
TeamsAppInstallation. ReadWriteSelfForUser.All |
Application |
|
|
14 |
AppCatalog.Read.All |
Application |
Allows the app to read apps in the app catalogs without a signed-in user
|
|
15 |
Group.Read.All
|
Application |
Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user |
Comments
Please sign in to leave a comment.