DocumentationDeveloperAcademyCommunitySupportLogin

Microsoft Graph Permissions (Office 365) Access Requirements

Suggest Edits

Microsoft Graph Permissions (for Office 365)

You will need Azure app (Microsoft Entra ID) to assign the access.

If you do not have one, please follow the instructions here to create one.

To identify and talk to Users (mandatory when deploying Microsoft Teams Bot):

Moveworks creates an offline index of all users so that we can message end users proactively. We use the Microsoft Graph API to get this information. If you are using Microsoft Teams as the chat platform, the same app ID can be used for all the permissions listed below.

🚧

The permissions must be set as "Application Permissions".

MS Graph API Scopes for Teams:

  • User.Read.All - Allows Moveworks to Read All User Attributes such as Email & Azure AD ID
  • TeamsAppInstallation.ReadWriteSelfForUser.All - Allows Moveworks Bot to install itself to all users

To Manage Groups (mandatory when deploying Access Groups functionality):

If you use Office 365 to manage email groups, we create an offline index using the Microsoft Graph API of all groups so that all "Add users to distribution list" operations are done instantaneously. If a user creates a DL in bot, we send a command to create that DL, and then we append that DL to the day's index of distribution groups, so a user can immediately add users to that DL.

MS Graph API Scopes for Office 365:

  • Group.ReadWrite.All - Allows Moveworks to add users to existing MS Graph Groups & Create New MS Graph Groups
  • User.Read.All - Allows Moveworks to Read All User Attributes such as Email & Azure AD ID

To Manage Devices and Apps (optional)

If you have an InTune company portal where users can access endpoints to push applications to their devices, Moveworks can serve these links.

MS Graph API Scopes for InTune Company Portal App Links:

  • DeviceManagementApps.Read.All - Allows Moveworks to read application data for InTune Apps

To Read Sharepoint Online Sites (optional)

  • Sites.Read.All - Allows Moveworks to read pages from Sharepoint Online sites
  • Sites.Selected - Allows Moveworks to read pages from selected Sharepoint Online sites
    • See here for more details on how to grant access using Sites.Selected.

Updated about 1 month ago