During approval of the Decisions Azure AD enterprise application, you are presented with a set of Microsoft Graph permissions. This article explains what permissions Decisions requests and what they are used for.
Decisions is built on top of Office 365 and integrates tightly with Office 365 groups and the user's calendars to provide features related to preparing, running and following up on structured meetings. All communication between end-user devices and your Office 365 tenant goes directly, and not routed through Decisions server-side services. Please see the architecture and security overview for more details.
The Microsoft Graph exposes two categories of permissions: application permissions and delegated permissions. Application permissions allow an app to act as any user, while delegated permission only allows for signed-in users of the application.
All permissions requested by Decisions are delegated permissions. Decisions runs as a single page application (SPA) in a browser sandbox on the end-user device. The permissions for the user of the app is limited by both Decisions Microsoft Graph permissions and the end-user’s Office 365 permissions.
By using delegated permissions, users of Decisions will never get access to any resources they do not already have access to in your organization's Office 365 tenant. For example, if a user does not have access to an Office 365 group in your tenant, they will not get access to that through Decisions either - because Decisions only uses delegated permissions.
Please refer to the Microsoft Graph permissions documentation for more details on delegated permissions.
Microsoft Graph Permissions
The following sections detail each Microsoft Graph permission scope and how Decisions uses it.
Read and write all OneNote notebooks that users can access
Used to set-up private notebooks for meetings to take notes and prepare remarks and questions. It also allows for group meeting minutes to be stored within their shared OneNote notebook, should the group opt to use OneNote.
Read user mailbox settings
Used to identify a user’s language preferences.
Sign in and read users profile
Used to sign in to Decisions.
Read all users' basic profiles
Used to display first and last name, photo and email address of group members and external participants.
Read and write all groups
Used to create folder structures in the Office 365 Group’s SharePoint site for meeting agendas, related files and group conversations.
Note: Users of Decisions will never get access to any resources (for example, groups) they do not already have access to in your organization's Office 365 tenant.
Read and write user chat messages
Used to send decisions for voting and create speaker lists for individual agenda items directly to the Microsoft Teams meeting chat.
Send mail as a user
Used to allow users of Decisions to send meeting participants notifications, such as agenda updates and links to the meeting for co-authors. Emails go to meeting participants or to the distribution list selected by the meeting owner. All notifications and emails sent are actively done so by the Decisions users.
Note: This does not give the user access to its inbox through Decisions.
Have full access to user calendars
Used to read information from the user’s calendar to enable features like the meeting list and search. It also gives the user an option to delete specific meetings from the calendar when the item is deleted from Decisions.
Have full access to user files
Used to provide users with support for personal file annotations. Annotated files are stored privately in the user’s OneDrive for Business.
Read all files that user can access
Used to read files that are shared with the user in order to merge those files into the PDF Meeting Book.
Create, read, update and delete user tasks and projects
Used to sync tasks and decisions to Microsoft Planner. It also allows users to export tasks and decisions to Excel.
Read directory data
Used to gather basic information about the Office 365 tenant when registered, such as tenant name and verified domains. It is also necessary for verifying group memberships.
When approving permissions through the web you will be presented with a dialog similar to this:
Please refer to the Microsoft Graph Permissions reference for full details on what permission scopes grants access to what.