Microsoft Permissions for the Enterprise Portal

Updated at September 23rd, 2024

Microsoft Teams Connector performs certain limited tasks with the consent of Microsoft Global Administrators. These allow for automated provisioning via PowerShell for direct routing, user calling activation, and Teams application setup in Microsoft.

The initial request when the Microsoft Enterprise Global Administrator is asked for permission looks like this:

Microsoft Teams Connector requires the Microsoft Global Admin to grant the Permissions shown above and explained below. With the Consent selected, delegated authorization can be granted to other Microsoft users in the tenant, specifically to users with the roles of Teams Service Admin and Skype for Business Admin.

Permission flow is as follows:

  • During Enterprise signup, Global Admin credentials are required for the first sign-in to the EPP (Registration—pictured above).
  • The EPP will ask for the following permissions that require Microsoft Global Admin consent before they can be used by non-Global Admin Users:signed-in

Permissions

Purpose

Access Microsoft Teams and Skype for Business data as the signed-in user. Allows the app to have the same access to information in the directory as the signed-in user.
Read and write directory data. This allows the app to read and write data, such as users and groups, in your organization's directory. It does not allow the app to delete users or groups or reset user passwords.
Access the directory as you. This allows the app to read the organization and related resources on behalf of the signed-in user. Related resources include subscribed SKUs and tenant branding information.
Manage your installed Teams apps. Allow the app to install and delete the Teams Application (Azure Enterprise Application) you build to extend the PBX into Teams.
Read organization information. Allows the app to read the organization and related resources, on behalf of the signed-in user. related resources include things like subscribed SKUs and tenant branding information
Read and write all users' full profiles. This allows the app to read and write the organization and related resources on behalf of the signed-in user. Related resources include subscribed SKUs and tenant branding information.
Maintain access to data you have given it access to. Allows the permission to access data to persist beyond the current login session.
Full access to the Skype Remote Powershell. Allow the application full access to the Skype Remote Powershell Azure services to provision Direct Routing and Teams Users on behalf of the signed-in user.

After granting this initial set of permissions, the Microsoft Global Admin will be prompted to log in again. A second set of application Permissions will appear:

Read all users' full profiles. Allows the app to read user profiles without a signed-in user.
Sign in and read the user profile. It allows users to sign in to the app and read their profiles and basic company information.

Once you grant these Permissions, you will be logged into the Microsoft Teams Connector portal.

Debug Call ConsentIt allows users to sign in to the app and read their profiles and basic company information.

Additional permission will be requested from the Enterprise Admin for the Microsoft Teams Connector CDR Application on the enterprise dashboard and when the Partner/Master Reseller/Reseller clicks "Debug Call" from the dashboard.

This allows a Teams app to read, install, upgrade, and uninstall itself in any team

Read all call records. Allows the app to read call records for all calls and online meetings without a signed-in user.
Read PSTN and direct routing call log data. Allows the app to read all PSTN and direct routing call log data without a signed-in user.

This permission is optional but gives Microsoft Teams Connector more power to help with troubleshooting.

Presence Sync Permissions

If the enterprise plans to use the presence sync option, they must also grant the optional permission.

In the Microsoft Teams Connector portal, certain tasks can be performed by the Microsoft Global Admin only, and certain tasks can be performed by the delegated Teams Service Admin/Skype for Business Admin. The table below demonstrates which credentials have what authority:

Microsoft Global Admin Microsoft Teams Service Admin & Skype Admin (both)  
Initial Enterprise Reg. YES NO
Setup Direct Routing YES NO
Setup/Manage PBX YES YES
Setup/Manage TM Users YES YES
Add/Delete Teams App YES NO
Setup/Manage End User Portal YES YES
Setup/Manage Feature Codes YES YES
  • Microsoft Global Admin must consent to the permissions listed at the top of this article to allow Microsoft Teams Connector to execute PowerShell commands on the organization's behalf.

If Global Admin does not consent on the organization's behalf, subsequent logins for non-Global Admin Users will fail.

 

Once Microsoft Global Admin has granted consent, logins by Teams Service Admin/Skype for Business Admin User to EPP will not be required to consent to further permissions.

 

With the release of Microsoft Teams Connector 2.6.0, Enterprise Admin can grant consent for the Reseller to perform Enterprise Provisioning actions.

Microsoft Teams Connector requires the Microsoft Global Admin to grant the Permissions shown and explained below.

Permissions

Purpose

Allow the Teams app to manage only its own tabs for all users. This allows a Teams app to read, install, upgrade, and uninstall its own tabs for any user without a signed-in user.
Allow the Teams app to manage only its own tabs for all teams. This allows a Teams app to read, install, upgrade, and uninstall its own tabs in any team without a signed-in user.
Read and write to all app catalogues. This allows the app to create, read, update, and delete apps in the app catalogues without a signed-in user.
Send a teamwork activity to any user. This allows the app to create new notifications in users' teamwork activity feeds without a signed-in user. These notifications may not be discoverable, held, or governed by compliance policies.
Read and write organization information. This allows the app to read and write the organization and related resources without a signed-in user. Related resources include subscribed SKUs and tenant branding information.
Read and write all users' full profiles. This allows the app to read and update user profiles without a signed-in user.
Read and write domains. This allows the app to read and write all domain properties without a signed-in user and to add, verify, and remove domains.
Read all users' teamwork activity feed. This allows the app to read all users' teamwork activity feed, without a signed-in user.
Deliver and manage all user's notifications. This allows the app to send, read, update, and delete users' notifications without a signed-in user.
Create channels. Create channels in any team, without a signed-in user.
Delete channels Delete channels in any team, without a signed-in user.
Read and write the names, descriptions, and settings of all channels. Read and write the names, descriptions, and settings of all channels, without a signed-in user.
Get a list of all teams. Get a list of all teams, without a signed-in user.
Read and change all teams' settings. Read and change all teams' settings, without a signed-in user.
Add and remove members from all channels. You can add and remove members from all channels without a signed-in user. You can also change a member's role, for example, from owner to non-owner.
Manage Teams apps for all teams. Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings.
Manage Teams apps for all users. Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings.
Allow the Teams app to manage itself for all teams. Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user.
Allow the app to manage itself for all users. Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user.
Create teams. Allows the app to create teams without a signed-in user. 
Add and remove members with non-owner role for all teams. Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role.
Sign in and read user profile. It allows users to sign in to the app and read their profiles and basic company information.

In the second step, the Enterprise Admin needs to grant consent to the Microsoft Teams Connector RBAC Management App. The permissions consented below are only used by the logged-in Enterprise Admin to set up the Enterprise Management grants requested in the first step. 

Was this article helpful?

Print to PDF