For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Logo
DeveloperAcademyCommunityStatus
  • Service Management
    • Overview
    • Concierge & Ticketing Capabilities Overview
    • Forms
    • Forms - Integration Specific Guides
    • Live Agent Chat / Handoff
    • Triage
    • Approval Mirroring
    • Ticket Interception
    • Generic Ticketing Integration: Ticket Gateway
  • Administration
    • MyMoveworks
    • Organization Information
    • Roles and Permissions
    • MyMoveworks SSO
  • Moveworks Setup
    • Accessing Moveworks Setup
    • First-Time Login via Magic Link
    • Moveworks Setup Modules
    • Moveworks Setup: Module How To Guides
    • Plugin Management
    • Monitor Alerts
    • Audit Logs
    • DSL Fields Defaults
    • Data Crawling View
    • API Playground
    • Setup Homepage
    • Troubleshooting Hub
    • Security and Privacy Settings
    • Configuration Delete
    • Advanced Config Editor
    • Identity configuration
    • Onboarding Stage
  • Security
    • Security
    • Hyperlink & Button Expiry
    • Attachment Handling
    • Moveworks Subprocessors
  • Provision Management
    • Overview
    • Access Software
    • Access Groups
    • Access Account
  • Access Requirements
    • Overview
    • Update Set Modules
    • Ticketing Systems & ITSMs Access
    • Identity and Access Management Systems Access
      • Active Directory & OpenLDAP Access Requirements
      • Microsoft 365 Access Requirements
      • Okta Access Requirements
      • OneLogin Access Requirements
    • Multi-Factor Authentication (MFA) Systems Access
    • Knowledge Access Requirements
    • Email Distribution List Systems Access
    • Facilities Management Access
    • Live Agent Chat Access
    • HR Information System Access
    • Expense Management Access
    • Calendar Management Access
  • Core Platform
    • User Identity
    • Moveworks On-Prem Agent
    • Approvals Engine
    • Entity Catalog
    • Configuration Languages
    • Moveworks Data Objects
    • SIEM
  • Employee Experience Insights
    • Overview
    • Breaking Down the Dashboard
    • Understanding Industry Benchmarks
    • Apps & Services
    • Impact Module
    • EXI Common Use Cases
    • Configure EXI
    • Ticket Backpolling
  • Knowledge Studio
    • Overview
    • Knowledge Studio Configuration
    • AI Powered Recommendations
    • Inspecting & Verifying Sources
    • Publishing Articles
    • Creating Knowledge Articles
    • Resolving IT Tickets Guidance
DeveloperAcademyCommunityStatus
On this page
  • Microsoft 365 Access Requirements
  • To Identify and Talk to Users (mandatory when deploying Microsoft Teams Bot)
  • Microsoft Graph API Scopes for Teams
  • To Manage Groups (mandatory when deploying Access Groups functionality)
  • Microsoft Graph API Scopes for Groups
  • To Manage Devices and Apps (optional)
  • Microsoft Graph API Scopes for InTune
  • To Read SharePoint Online Sites (optional)
Access RequirementsIdentity and Access Management Systems Access

Microsoft 365 Access Requirements

||View as Markdown|
Was this page helpful?
Edit this page
Previous

Okta Access Requirements

Next
Built with

Microsoft 365 Access Requirements

You will need an Azure app (Microsoft Entra ID) to assign these permissions. How you create one depends on your deployment method:

MethodUse WhenLimitationsGuide
App StoreUS commercial tenant with a single Moveworks deployment. If you plan to add additional environments (e.g. a sandbox) in the future, use the Non-App Store method instead — the App Store can only be used once per tenant.US commercial data centers only. One bot per Microsoft tenant.AI Assistant in Microsoft 365 (MS Teams + MS Graph) Access Requirements
Non-App Store (Custom App)Multiple Moveworks deployments on one tenant, non-US regions, or GCC HighRequires manual app registration and more configuration stepsAI Assistant in Microsoft Teams (Non-App Store) Setup Guide
App Registration OnlyConfiguring Microsoft Graph access for Groups, InTune, or SharePoint — without a Teams bot deploymentNot for Teams bot setupCreating a Microsoft App Registration for Moveworks

All permissions on this page must be configured as Application Permissions.

To Identify and Talk to Users (mandatory when deploying Microsoft Teams Bot)

Moveworks creates an offline index of all users so that we can message end users proactively. We use the Microsoft Graph API to get this information. If you are using Microsoft Teams as the chat platform, the same app ID can be used for all the permissions listed below.

Microsoft Graph API Scopes for Teams

  • User.Read.All — Allows Moveworks to read all user attributes such as email and Microsoft Entra ID
  • TeamsAppInstallation.ReadWriteSelfForUser.All — Allows Moveworks to install itself for all users

To Manage Groups (mandatory when deploying Access Groups functionality)

If you use Microsoft 365 to manage email groups, Moveworks creates an offline index of all groups using the Microsoft Graph API so that all “Add users to distribution list” operations are done instantaneously. If a user creates a distribution list in the bot, Moveworks creates that list and immediately appends it to the day’s index, so users can add members to it right away.

Microsoft Graph API Scopes for Groups

  • Group.ReadWrite.All — Allows Moveworks to add users to existing Microsoft 365 groups and create new groups
  • User.Read.All — Allows Moveworks to read all user attributes such as email and Microsoft Entra ID

To Manage Devices and Apps (optional)

If you have an InTune company portal where users can access endpoints to push applications to their devices, Moveworks can serve these links.

Microsoft Graph API Scopes for InTune

  • DeviceManagementApps.Read.All — Allows Moveworks to read application data for InTune apps

To Read SharePoint Online Sites (optional)

  • Sites.Read.All — Allows Moveworks to read pages from SharePoint Online sites
  • Sites.Selected — Allows Moveworks to read pages from selected SharePoint Online sites. See here for more details on how to grant access using Sites.Selected.