During the approval of the Decisions Azure AD enterprise application, you will be presented with a set of Microsoft Graph permissions. This article explains what permissions Decisions needs and how they are used.
Decisions is built on top of Office 365 and integrates closely with Office 365 groups and the user's calendars to provide features related to preparing, running, and following up on structured meetings. All communication between end-user devices and your Office 365 tenant goes directly - and not routed through - Decisions' server-side services.
Please see the architecture and security overview for more details.
The Microsoft Graph has two categories of permissions: application permissions and delegated permissions. Application permissions allow an app to act as any user, while delegated permission allows only signed-in users of the application.
All permissions requested by Decisions are delegated permissions. Decisions runs as a single page application (SPA) in a browser sandbox on the end-user device. The permissions for the user of the app are limited by both Decisions Microsoft Graph permissions and the end user’s Office 365 permissions.
By using delegated permissions, users of Decisions will never get access to any resources they do not already have in your organization's Office 365 tenant. For example, if a user does not have access to an Office 365 group in your tenant, they will not get access to that through Decisions either - because Decisions only uses delegated permissions.
Please refer to the Microsoft Graph permissions docs for more details on delegated permissions.
Microsoft Graph Permissions
The following sections detail each Microsoft Graph permission scope and how Decisions uses it.
Read and write user chat messages
Used for posting votes and to create speaker lists for individual agenda items in the Microsoft Teams meeting chat.
Read and write all OneNote notebooks that users can access
Used for setting up private notebooks for meeting attendees to take notes. It also allows meeting minutes to be saved within a shared OneNote notebook.
Edit or delete items in all site collections
Required for creating folders for meeting agendas and files for Private Channels.
Read and write user and shared calendars
Enable users with delegate access or users with shared calendar access to create and manage agendas on calendars they have access to.
Read user mailbox settings
Used to identify a user’s language preferences.
Sign in and read users profile
Used to sign in to Decisions.
Read all users' basic profiles
Used for displaying first names, last names, photos, and email addresses of group members and external participants.
Read and write all groups
Used for creating folders in the Office 365 Group’s SharePoint site for meeting agendas, related files, and group conversations.
Note: Users of Decisions will never get access to any resources (for example, teams, private channels, or groups) they do not already have access to in your organization's Office 365 tenant.
Send mail as a user
Used to allow users of Decisions to send meeting participants notifications, such as agenda updates and links to the meeting for co-authors. Emails go to meeting participants or to the distribution list selected by the meeting owner. All notifications and emails sent are actively done so by the Decisions users.
Note: This permission does not give access to the content of the user's inbox. It can only be used for sending emails.
Have full access to user calendars
Used to display and update basic information from a user’s calendar such as meeting subjects, dates, times, and participants.
Have full access to user files
Provide users with support for personal file annotations. Annotated files are stored privately in the user’s OneDrive for Business.
Read all files that user can access
Used to read files that are shared with the user to merge those files into the PDF Meeting Book.
Create, edit, and delete items and lists in site collection
Used for managing the SharePoint lists that contain voting comments.
Send channel messages
Used to allow users of Decisions to send meeting participants notifications, such as agenda updates in a Teams channel.
Create tabs in Microsoft Teams
Used to add the Meeting App and/or Channel tab in Teams.
Read Tabs in Microsoft Teams
Used to check if the Meeting App and/or Channel Tab is installed.
Manage installed Teams apps in Chats
Used to manage Decisions Bot in chats
Create, read, update and delete user's tasks and task lists
Used for syncing tasks and decisions to Microsoft Planner, and for exporting tasks and decisions to Excel.
Allow the Teams app to manage all tabs in chats
Required to automatically install the Decisions App into the meeting chat before adding the Decisions Tab to the in-meeting experience.
Read directory data
Used for accessing basic information about the Office 365 tenant upon registration, such as tenant name and verified domains. It is also necessary for verifying group memberships.
Approving Decisions app
When approving permissions through the web you will be presented with a dialogue similar to this:
Please refer to the Microsoft Graph Permissions reference for full details on what permissions scopes grants access to what.