During the approval of the Decisions Azure AD enterprise application, you will be presented with a set of Microsoft Graph permissions you must approve. This article explains what permissions Decisions needs and how they are used.
Decisions is built on top of Microsoft 365 and integrates closely with Microsoft 365 group and user's calendars to provide features for preparing, running, and following up on structured meetings. All communication between end-user devices and your Microsoft 365 tenant goes direct — and is not routed through Decisions' server-side services.
Please see the architecture and security overview for more technical details.
Delegated Permissions
The Microsoft Graph has two categories of permissions: application permissions and delegated permissions. Application permissions allow an app to act as any user, while delegated permission allows only signed-in users of the application.
All permissions requested by Decisions are delegated permissions. Decisions runs as a single page application (SPA) in a browser sandbox on the end-user device. The permissions for the user of the app are limited by both Decisions Microsoft Graph permissions and the end user’s Microsoft 365 permissions.
By using delegated permissions, users of Decisions will never get access to any resources they do not already have in your organization's Microsoft 365 tenant. For example, if a user does not have access to a Microsoft 365 group in your tenant, they will not get access to that through Decisions either — because Decisions only uses delegated permissions.
Please refer to the overview of Microsoft Graph permissions for more details on delegated permissions.
Microsoft Graph Permissions
The following section details each Microsoft Graph permission scope and how Decisions uses it. Note: While we strive to maintain the accuracy of this page, descriptions of scope activities and permissions may change from time to time. For the most accurate descriptions, please visit the Microsoft Graph permissions resource.
Send a teamwork activity as the user (TeamsActivity.Send)
Scope detail: Allows the app to create new notifications in users' teamwork activity feeds on behalf of the signed in user. These notifications may not be discoverable or be held or governed by compliance policies.
Decisions usage: Used to send notifications to users about updates to the agenda, tasks, and meeting minutes, ensuring that all participants are kept informed with the latest information.
Read and write user chat messages (Chat.ReadWrite)
Scope detail: Allows an app to read and write 1 on 1 or group chats threads, on behalf of the signed-in user.
Decisions usage: Allows the user to comment on agenda items as well as manage and update meeting-related chat messages in Microsoft Teams. Also used for posting votes and to create speaker lists for individual agenda items in the Microsoft Teams meeting chat.
Read and write all OneNote notebooks that user can access (Notes.ReadWrite.All)
Scope detail: Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization.
Decisions usage: Used for setting up private notebooks for meeting attendees to take notes. It also allows meeting minutes to be saved within a shared OneNote notebook, integrating meeting notes and agendas with OneNote.
Read user mailbox settings (MailboxSettings.Read)
Scope detail: Allows the app to the read user's mailbox settings. Does not include permission to send mail.
Decisions usage: Used to identify the user’s language and locale preferences.
Edit or delete items in all site collections (Sites.ReadWrite.All)
Scope detail: Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user.
Decisions usage: Used to manage and update agenda and meeting folders and documents stored in SharePoint site collections, as well as managing items in the decision log.
Read and write user and shared calendars (Calendars.ReadWrite.Shared)
Scope detail: Allows the app to create, read, update and delete events in all calendars in the organization user has permissions to access. This includes delegate and shared calendars.
Decisions usage: Enable users with delegate access or users with shared calendar access to create and manage agendas on calendars they have access to.
Sign in and read user profile (User.Read)
Scope detail: Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
Decisions usage: Used to sign in to Decisions, authenticate users, and personalize their meeting experience.
Read all users' basic profiles (User.ReadBasic.All)
Scope details: Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo.
Decisions usage: Used for displaying first names, last names, photos, and email addresses of group members and external participants in meeting agendas and minutes.
Read and write all groups (Group.ReadWrite.All)
Scope details: Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content
Decisions usage: Used for creating folders and managing files in the Team/Office 365 Group’s SharePoint site for meeting agendas, related files, and group conversations.
Note: Users of Decisions will never get access to any resources (for example, teams, private channels, or groups) they do not already have access to in your organization's Office 365 tenant.
Send mail as a user (Mail.Send)
Scope details: Allows the app to send mail as users in the organization.
Decisions usage: Used to allow users of Decisions to send meeting participants notifications, such as agenda updates and links to the meeting for co-authors. Emails go to meeting participants or to the distribution list selected by the meeting owner. All notifications and emails sent are interactively sent by the Decisions users.
Note: This permission does not give access to the content of the user's inbox. It can only be used for sending emails.
Have full access to user calendars (Calendars.ReadWrite)
Scope details: Allows the app to create, read, update, and delete events in user calendars.
Decisions usage: Used to display and update basic information from a user’s calendar, such as meeting subjects, dates, times, and participants.
Have full access to user files (Files.ReadWrite)
Scope details: Allows the app to read, create, update and delete the signed-in user's files.
Decisions usage: Provides users with support for personal file annotations and storing agendas and meeting files within OneDrive. Files are stored privately in the user’s OneDrive for Business.
Read all files that user can access (Files.Read.All)
Scope details: Allows the app to read all files the signed-in user can access.
Decisions usage: Used to read files that are shared with the user to merge those files into the PDF Meeting Book, ensuring all relevant documents are included.
Read user channel messages (ChannelMessage.Read.All)
Scope details: Allows an app to read a channel's messages in Microsoft Teams, on behalf of the signed-in user.
Decisions usage: Used to manage notifications and comments for meetings created as Channel Meetings.
Create, edit, and delete items and lists in all site collections (Sites.Manage.All)
Scope details: Allows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user.
Decisions usage: Used for managing the SharePoint lists that contain the decisions log and voting comments.
Send channel messages (ChannelMessage.Send)
Scope details: Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user.
Decisions usage: Used to allow users of Decisions to send meeting participants notifications, such as agenda updates in a Teams channel.
Create tabs in Microsoft Teams (TeamsTab.Create)
Scope details: Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs.
Decisions usage: Used to add the app to a channel tab in Teams.
Read Tabs in Microsoft Teams (TeamsTab.Read.All)
Scope details: Read the names and settings of tabs inside any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs
Decisions usage: Used to check if the app channel tab is installed.
Read the names and description of teams (Team.ReadBasic.All)
Scope details: Read the names and descriptions of teams, on behalf of the signed-in user.
Decisions usage: Used to list and categorize teams involved in meetings.
Read the names and description of channels (Channel.ReadBasic.All)
Scope details: Read channel names and channel descriptions, on behalf of the signed-in user.
Decisions usage: Used to identify and display channel info.
Read the members of channels (ChannelMember.Read.All)
Scope details: Read the members of channels, on behalf of the signed-in user.
Decisions usage: Used to identify and display channel members.
Manage Teams apps for all chats (TeamsAppInstallation.ReadWriteForChat)
Scope details: Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Does not give the ability to read application-specific settings.
Decisions usage: Used to manage the Decisions Bot in chats.
Create, read, update, and delete user's tasks and task lists (Tasks.ReadWrite)
Scope details: Allows the app to create, read, update, and delete the signed-in user's tasks and task lists, including any shared with the user.
Decisions usage: Used for syncing tasks and decisions to Microsoft Planner, and for exporting tasks and decisions to Excel.
Allow the Teams app to manage all tabs in chats (TeamsTab.ReadWriteForChat)
Scope details: Allows a Teams app to read, install, upgrade, and uninstall all tabs in chats the signed-in user can access.
Decisions usage: Required to install the Decisions App into the meeting chat.
Read directory data (Directory.Read.All)
Scope details: Allows the app to read data in your organization's directory, such as users, groups and apps.
Decisions usage: Used for accessing basic information about the Office 365 tenant upon registration, such as tenant name and domain. It is also necessary for verifying group memberships.
When approving permissions for yourself or your organization through the web you will be presented with a dialogue similar to this:
Please refer to the Microsoft Graph Permissions reference for full details on what permissions scopes grants access to what, as well as a full explainer from Microsoft on app permissions and admin consent.
Microsoft Intune Permissions (Optional)
Decisions integrates with Microsoft Intune to enable device management. The following scope needs to be approved for Microsoft Intune to be enabled.
Read and write user's app management data (DeviceManagementApps.ReadWrite.All)
Scope details: Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.
Decisions usage: Used for integrating the "Meetings by Decisions" mobile app with the Intune Mobile Application Management system. Allowing IT admins to configure security and privacy polices from Intune in the "Meetings by Decisions" mobile iOS/Android app.
Decisions AI Permissions (Optional)
Decisions AI enhances meeting productivity by leveraging artificial intelligence to provide insights and manage meeting-related data. To operate effectively, Decisions AI requires permissions to access and manage online meetings, transcripts, and user information, ensuring seamless integration with Microsoft 365. These scopes can be approved from the Decisions Admin Portal.
Read and create user's online meetings (OnlineMeetings.ReadWrite)
Scope details: Allows the app to read and create online meetings on behalf of the signed-in user.
Decisions usage: Used to manage online meetings on behalf of the user, including scheduling and managing participants. on behalf of the signed-in user.
Read all transcripts of online meetings (OnlineMeetingTranscript.Read.All)
Scope details: Allows the app to read all transcripts of online meetings, on behalf of the signed-in user.
Decisions usage: Used for retrieving the transcript of online meetings programmatically, and used for creating links and summaries in Meeting Recap & AI Minutes functionality.
Read users' relevant people lists (People.Read)
Scope details: Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype)
Decisions usage: Used for retrieving relevant contacts when suggesting matches in AI-based meeting scheduling.
Optional - Read user mail (Mail.Read)
Scope details: Allows the app to read the signed-in user's mailbox.
Decisions usage: Used for AI features for meeting briefs and agendas.