Security & Trust
      Back to home
      1. Help Center
      2. Security & Trust

      Decisions + Microsoft Graph permissions

      During the approval of the Decisions Azure AD enterprise application, you will be presented with a set of Microsoft Graph permissions you must approve. This article explains what permissions Decisions needs and how they are used.

       

      Decisions is built on top of Microsoft 365 and integrates closely with Microsoft 365 groups and user's calendars to provide features for preparing, running, and following up on structured meetings. All communication between end-user devices and your Microsoft 365 tenant goes direct — and is not routed through Decisions' server-side services.

      Please see the architecture and security overview for more technical details.


      Delegated Permissions


      The Microsoft Graph has two categories of permissions: application permissions and delegated permissions. Application permissions allow an app to act as any user, while delegated permission allows only signed-in users of the application.

      All permissions requested by Decisions are delegated permissions. Decisions runs as a single page application (SPA) in a browser sandbox on the end-user device. The permissions for the user of the app are limited by both Decisions Microsoft Graph permissions and the end user’s Microsoft 365 permissions.

      By using delegated permissions, users of Decisions will never get access to any resources they do not already have in your organization's Microsoft 365 tenant. For example, if a user does not have access to a Microsoft 365 group in your tenant, they will not get access to that through Decisions either — because Decisions only uses delegated permissions.

      Please refer to the Microsoft Graph permissions docs for more details on delegated permissions.

      Microsoft Graph Permissions


      The following sections detail each Microsoft Graph permission scope and how Decisions uses it.

      Send a teamwork activity as the user

      Allows the app to create new notifications in users' teamwork activity feeds on behalf of the signed in user. These notifications may not be discoverable or be held or governed by compliance policies.

      Read and write user chat messages

      Used for posting votes and to create speaker lists for individual agenda items in the Microsoft Teams meeting chat.

      Read and write all OneNote notebooks that users can access

      Used for setting up private notebooks for meeting attendees to take notes. It also allows meeting minutes to be saved within a shared OneNote notebook.

      Read user mailbox settings

      Used to identify a user’s language preferences.  

      Edit or delete items in all site collections

      Required for creating folders for meeting agendas and files for Private Channels.

      Read and write user and shared calendars

      Enable users with delegate access or users with shared calendar access to create and manage agendas on calendars they have access to.
      Sign in and read users profile

      Used to sign in to Decisions.

      Read all users' basic profiles

      Used for displaying first names, last names, photos, and email addresses of group members and external participants.

      Read and write all groups

      Used for creating folders in the Office 365 Group’s SharePoint site for meeting agendas, related files, and group conversations. 

      Note: Users of Decisions will never get access to any resources (for example, teams, private channels, or groups) they do not already have access to in your organization's Office 365 tenant. 

      Send mail as a user
      Used to allow users of Decisions to send meeting participants notifications, such as agenda updates and links to the meeting for co-authors. Emails go to meeting participants or to the distribution list selected by the meeting owner. All notifications and emails sent are actively done so by the Decisions users.

      Note: This permission does not give access to the content of the user's inbox.
      It can only be used for sending emails. 

      Have full access to user calendars
      Used to display and update basic information from a user’s calendar such as meeting subjects, dates, times, and participants.

      Have full access to user files
      Provide users with support for personal file annotations. Annotated files are stored privately in the user’s OneDrive for Business.

      Read all files that user can access
      Used to read files that are shared with the user to merge those files into the PDF Meeting Book.

      Create, edit, and delete items and lists in site collection

      Used for managing the SharePoint lists that contain voting comments.

      Send channel messages

      Used to allow users of Decisions to send meeting participants notifications, such as agenda updates in a Teams channel.

      Create tabs in Microsoft Teams

      Used to add the Meeting App and/or Channel tab in Teams.

      Read Tabs in Microsoft Teams
      Used to check if the Meeting App and/or Channel Tab is installed.

      Read the names and description of teams

      Read the names and descriptions of teams, on behalf of the signed-in user.

      Read the names and description of channels

      Read channel names and channel descriptions, on behalf of the signed-in user.

      Read the members of channels

      Read the members of channels, on behalf of the signed-in user.

      Manage installed Teams apps in Chats

      Used to manage Decisions Bot in chats

      Create, read, update and delete user's tasks and task lists 
      Used for syncing tasks and decisions to Microsoft Planner, and for exporting tasks and decisions to Excel.

      Allow the Teams app to manage all tabs in chats

      Required to automatically install the Decisions App into the meeting chat before adding the Decisions Tab to the in-meeting experience.

      Read directory data
      Used for accessing basic information about the Office 365 tenant upon registration, such as tenant name and verified domains. It is also necessary for verifying group memberships.

       
       

      Approving the Decisions app

      When approving permissions for yourself or your organization through the web you will be presented with a dialogue similar to this:

      Please refer to the Microsoft Graph Permissions reference for full details on what permissions scopes grants access to what, as well as a full explainer from Microsoft on app permissions and admin consent.

       

       

      Optional Microsoft Graph Permission

      Decisions also allow customers to approve optional Graph Permission scopes. These scopes are related to specific features that might not be applicable for all customers. These scopes can be approved from the Decisions Admin Portal

      Read and write user's app management data
      Used for integrating the "Meetings by Decisions" mobile app with the Intune Mobile Application Management system. Allowing IT admins to configure security and privacy polices from Intune in the "Meetings by Decisions" mobile iOS/Android app. 

      Read user's online meetings

      Allows the app to read online meeting details on behalf of the signed-in user.

      Read all transcripts of online meetings

      Allows the app to read all transcripts of online meetings, on behalf of the signed-in user.

      Used for retrieving the transcript of online meetings programmatically, and used for creating links and summaries in Meeting Recap functionality.

      Read user channel messages

      Allows an app to read a channel's messages in Microsoft Teams, on behalf of signed-in user. 

      Used to provide standard functionality for sharing and posting agenda, agenda summary, and comments for meetings created as Channel Meetings.