Tenant Admins: Please read carefully
Permissions described on this page are needed for daily operation of Nimbus and affiliated apps and components. Before you start your Nimbus Installation, please read the following page carefully to get a clear understanding on which delegated / app permissions are used to establish Nimbus functionality on your tenant.
🔎 Nimbus uses Microsoft Graph to authenticate users and retrieve data via user-delegated and direct app-only permissions. You can learn more about this principle within the official Microsoft Graph Documentation.
Permissions for Service Provisioning
When Provisioning new services via our PowerShell script, the following components get permissions granted automatically:
| Component | When are permissions granted | Purpose / Usage Scenario |
|---|---|---|
| Nimbus App | on each run of the script | Retrieves information about MS Teams users, their team memberships and roles, group memberships, and presence states |
| Calling Bot | on each run of the script | Responsible for the service calls (regardless of team/workflow configuration). Handles all Nimbus call related Workflow Activities and their actions during a call (e.g. Answer, Play Prompts, Decline, Hang-up, Invite) |
| Media Bot | on each run of the script | Handles text and voice related call actions during a session (e.g. Record Voice Messages, Transcription of Calls). |
| Chat Bot | in User Preferences (Portal) once by the user to register with the bot. No additional permissions are needed. | Relays service-related chat messages via Adaptive Cards. |
| Interact App | on each run of the script, but only when Interact is enabled | Needed for Interact. |
| Graph Chat App | manually by an administrator via the admin portal | Needed for Instant Messaging in order to create chat threads with the User and the Customer and properly handle chat messages |
Microsoft Graph PowerShell Permissions
The Microsoft.Graph.* modules which are used by the Provisioning Script require the user to have the permissions that need to be granted for the Microsoft Graph PowerShell Enterprise application:
| Permission |
Permission Type |
Granted By | Purpose |
|---|---|---|---|
| Application.ReadWrite.All | Delegated | Tenant Admin | Read and write all applications |
| AppRoleAssignment.ReadWrite.All | Delegated | Tenant Admin | Manage app permission grants and app role assignments |
| DelegatePermissionGrant.ReadWrite.All | Delegated | Tenant Admin | Manage all delegated permission grants |
| Domain.Read.All | Delegated | Tenant Admin | Read domains |
| Organization.Read.All | Delegated | Tenant Admin | Read organization information |
| User.ReadWrite.All | Delegated | Tenant Admin | Read and write all users' full profiles |
| openid | Delegated | Tenant Admin | Sign users in |
| profile | Delegated | Tenant Admin | View user's basic profile |
| offline_access | Delegated | Tenant Admin | Maintain access to data you have given it access |
Permissions by Product/Feature
Nimbus Apps and Addons
| Permission | Type | Granted By | License | Addon | Purpose / Usage Scenario | ||||
|---|---|---|---|---|---|---|---|---|---|
| AR | ER | CC | Attendant Console | Interact | Assistant | ||||
| Channel.ReadBasic.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Get channels to post Adaptive (Voice Message) Cards. |
| GroupMember.Read.All | Application | Tenant Admin | yes | yes | yes | - | - | - |
Nimbus App - Get Team Members Allows the app to list groups, read basic group properties and read membership of all groups that the signed-in user has access to. |
| Mail.ReadWrite | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Optional permission required for Mailboxes in order to enable Email Handling for services. |
| Mail.Send | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Optional permission required for Mailboxes in order to enable Email Handling for services. |
| Presence.Read.All1 | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Required permission for extended presence tracking of MS Teams users, which is used for call distribution. → See info below. |
| User.Read | Delegated | User | yes | yes | yes | - | - | - | Nimbus App - Get user information (from logged-in user) |
| User.Read.All | Application | Tenant Admin | yes | yes | yes | - | yes | - |
Nimbus App - Get CallerInformation Nimbus UI - Full Search Users (→ also see "User Search Permissions" chapter below. |
| User.ReadBasic.All | Delegated | User | yes | yes | yes | - | - | - | Nimbus App - Limited user search. Nimbus needs to know the channels of the logged-in user. |
1 Enhanced Presence Tracking
🤔 Why is “Presence.Read.All” required? This will allow the Nimbus App to check extended presence status, e.g. if users are already Busy - In a call, Busy - In a meeting or in a similar status.
🤔 How is Extended Presence tracking enabled? As part of Extensions Tenant Settings > "Presence Tracking”
OR by running the Provisioning Script as a Tenant Administrator.
🔎 Also see: User Presence States > Official MS Teams documentation
Nimbus API
| Permission | Type | Granted By | License | Addon | Purpose / Usage Scenario | ||||
|---|---|---|---|---|---|---|---|---|---|
| AR | ER | CC | Attendant Console | Interact | Assistant | ||||
| Provisioning.User.Create | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus API - Provision empty users via their O365 ID and Organization Units ID. |
| Provisioning.User.Delete | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus API - Delete users via their O365 ID. |
Calling Bot
| Permission | Type | Granted By | License | Addon | Purpose / Usage Scenario | ||||
|---|---|---|---|---|---|---|---|---|---|
| AR | ER | CC | Attendant Console | Interact | Assistant | ||||
| Calls.AccessMedia.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Calling Bot - Receive DTMF tones and Record customer input in IVRs, e.g. for decision routing in Workflows. |
| Calls.Initiate.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Calling Bot - Contact users (distribute calls, e.g. by making 1:1 calls to users to take on a Nimbus task). |
| Calls.InitiateGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Calling Bot - Contact users (distribute calls, e.g. group calling multiple users simultaneously to find the first user to take on the Nimbus task.) |
| Calls.JoinGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Calling Bot - Join an escalated call = call with more than 2 participants, including the bot. |
Media Bot
| Permission | Type | Granted By | License | Addon | Purpose / Usage Scenario | ||||
|---|---|---|---|---|---|---|---|---|---|
| AR | ER | CC | Attendant Console | Interact | Assistant | ||||
| Calls.AccessMedia.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Media Bot - Record voice messages |
| Calls.JoinGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Media Bot - Join an escalated call = call with more than 2 participants, including the bot. |
Interact App
| Permission | Type | Granted By | License | Addon | Purpose / Usage Scenario | ||||
|---|---|---|---|---|---|---|---|---|---|
| AR | ER | CC | Attendant Console | Interact | Assistant | ||||
| Calls.InitiateGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Interact (Audio/Video) - Contact users (distribute calls) |
| Calls.JoinGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Interact (Audio/Video) - Join a meeting call |
| OnlineMeetingArtifact.Read.All | Application | Tenant Admin | - | - | - | - | yes | - | Interact (Audio/Video) - Fetch online meeting artifacts |
| OnlineMeetings.Read.All | Application | Tenant Admin | - | - | - | - | yes | - | Interact (Audio/Video) - Read online meeting details |
| OnlineMeetings.ReadWrite.All | Application | Tenant Admin | - | - | - | - | yes | - | Interact (Audio/Video) - Read and create online meetings |
Assistant App
| Permission | Type | Granted By | License | Addon | Purpose / Usage Scenario | ||||
|---|---|---|---|---|---|---|---|---|---|
| AR | ER | CC | Attendant Console | Interact | Assistant | ||||
| Teams.ManageCalls | Delegated | User | - | - | - | - | - | yes | Assistant App Manage calls in Teams through ACS |
| Teams.ManageChat | Delegated | User | - | - | - | - | - | yes | Assistant App Manage chat in Teams through ACS |
| User.Read.All | Delegated | Tenant Admin | - | - | - | - | - | yes | Assistant App - Read all users' full profile |
| Presence.Read | Delegated | User | - | - | - | - | - | yes | Assistant App - Read users' presence information |
Attendant Console
| Permission | Type | Granted By | License | Addon | Purpose / Usage Scenario | ||||
|---|---|---|---|---|---|---|---|---|---|
| AR | ER | CC | Attendant Console | Interact | Assistant | ||||
| Calendars.Read | Delegated | User | - | - | - | yes | - | - | Attendant Console - Read calendar of the logged-in user show calendar with appointments |
| Calendars.Read.Shared | Delegated | User | - | - | - | yes | - | - | Attendant Console - Read shared calendars to show calendar with appointments |
| Contacts.Read | Delegated | User | - | - | - | yes | - | - | Attendant Console - Search in the exchange contacts of the logged-in user |
| Contacts.Read.Shared | Delegated | User | - | - | - | yes | - | - | Attendant Console - Search in the shared exchange contacts |
| Presence.Read.All | Delegated | Tenant Admin | - | - | - | yes | - | - | Attendant Console - Show presence in contact search on Attendant Console page |
Graph Chat App
| Permission | Type | Granted By | License | Purpose / Usage Scenario |
|---|---|---|---|---|
| Interact | ||||
| Chat.Create | Delegated | Tenant Admin | yes | Interact (Instant Messaging) - Create chats |
| Chat.ManageDeletion.All | Delegated | Tenant Admin | yes | Interact (Instant Messaging) - Delete and recover deleted chats |
| Chat.Read | Delegated | Tenant Admin | yes | Interact (Instant Messaging) - Read user chat messages |
| Chat.ReadBasic | Delegated | Tenant Admin | yes | Interact (Instant Messaging) - Read names and members of user chat threads |
| Chat.ReadWrite | Delegated | Tenant Admin | yes | Interact (Instant Messaging) - Read and write user chat messages |
| ChatMember.Read | Delegated | Tenant Admin | yes | Interact (Instant Messaging) - Read the members of chats |
| ChatMember.ReadWrite | Delegated | Tenant Admin | yes | Interact (Instant Messaging) - Add and remove members from chats |
| ChatMessage.Read | Delegated | Tenant Admin | yes | Interact (Instant Messaging) - Read user chat messages |
| ChatMessage.Send | Delegated | Tenant Admin | yes | Interact (Instant Messaging) - Send user chat messages |
| User.Read | Delegated | Tenant Admin | yes | Interact (Instant Messaging) - Sign in and read user profile |
User Search Permissions
INC Supported User Search Fields
Supported fields for Attendant Console 1.0 (AC1)
Prerequisites: User.Read.All permissions must be granted to use search features. As a Tenant Admin, head to the Nimbus Portal > User Preferences (Portal) > Permissions> Advanced Search and manage consent for your entire tenant. → Also see Nimbus User Permissions for more details.
Legend
✅ Fields are supported by search.
🔍 Fields support "CONTAINS" search operator.
Example: Searching for 'cha' will find 'Chadrick' but also 'Michael'
➕ These fields support filter capabilities which can be used to narrow down a search.
☝ KNOWN LIMITATIONS:
- The search covers the predefined Nimbus Address Books fields, but no custom fields can be searched.
- Filters need to be part of the search syntax. You can switch to Attendant Console 2.0 for a much-improved filtering experience.
Attendant Console 1.0 (AC1) supported search fields table:
| Searchable Field | O365 Directory |
Outlook Address Book | Nimbus Address Books |
Nimbus Services | Notes |
|---|---|---|---|---|---|
| Display Name | ✅ | ✅ 🔍 | ✅ 🔍 | First name / Last name combination | |
| First Name | ✅ | ✅ 🔍 | First name | ||
| Last Name | ✅ 🔍 | Last / Family name | |||
| Initials | ✅ 🔍 | Initials (e.g. "JK") | |||
| Surname | ✅ | Surname | |||
| ✅ | ✅ | ✅ 🔍 | Email Address | ||
| User Principal Name (UPN) | ✅ | ✅ 🔍 | Consists of: user name (login name), separator (the @ symbol), and domain name (UPN suffix) | ||
| Job Title | ✅ ➕ ☝ | ✅ 🔍 ➕ ☝ | ✅ 🔍 ➕ | Job Title | |
| Business Phones | ✅ 🔍 | Business Phone | |||
| Home Phones | ✅ 🔍 | Home Phone | |||
| Mobile Phones | ✅ 🔍 | Mobile Phone | |||
| IM Address | ✅ 🔍 | IM SIP Address | |||
| Street | ➕ | ✅ 🔍➕ | Street Address | ||
| City | ✅ ➕ ☝ | ✅ 🔍 | Code and City | ||
| Company | ✅ ➕ ☝ | ✅ 🔍 | Company | ||
| Country | ✅ ➕ ☝ | ✅ 🔍 ➕ | Country of Origin | ||
| Department | ✅ ➕ ☝ | ✅ ➕ ☝ | ✅ 🔍 ➕ | Department | |
| State | ✅ ➕ ☝ | ✅ 🔍 ➕ | State | ||
| Postal Code | ➕ | ✅ 🔍➕ | Postal Code | ||
| External.CustomField1-10 | ✅ 🔍 | Custom Field |
Supported fields / filters for Attendant Console 2.0 (AC2)
Attendant Console 2.0 (AC2) supported search fields and filters tables:
INC Supported Search Fields and Filters (AC2.0)
Free Text Search
Prerequisites: The full search functionality only applies if permissions are granted. See Attendant Console 2.0 - Permissions.
Legend
✅Fields are supported by Free Text Search
❗Limited by "starts with" logic
☝️Needs at least 3 characters to start searching
| Search within | "All" Tab |
Configured Groups |
||||
|---|---|---|---|---|---|---|
Fields |
O365 Directory |
Outlook Address Book |
Nimbus Address Books |
Nimbus Services |
Nimbus Address Books |
All Sources |
Display Name |
✅❗☝️ |
✅❗☝️ |
✅☝️ |
✅☝️ |
✅ |
✅ |
Contact Details |
✅❗☝️ |
✅❗☝️ |
✅☝️ |
✅☝️ |
✅ |
✅ |
Note |
✅☝️ |
✅ |
✅ |
|||
| First Name | ✅☝️ |
✅ |
||||
| Last Name | ✅☝️ |
✅ |
||||
| UPN (User Principal Name) | ✅☝️ |
✅ |
||||
✅☝️ |
✅ |
|||||
| IM Address | ✅☝️ |
✅ |
||||
| Business Phone | ✅☝️ |
✅ |
||||
| Mobile Phone | ✅☝️ |
✅ |
||||
| Home Phone | ✅☝️ |
✅ |
||||
| Company | ✅☝️ |
✅ |
||||
| Department | ✅☝️ |
✅ |
||||
| Job Title | ✅☝️ |
✅ |
||||
| Country | ✅☝️ |
✅ |
||||
| State | ✅☝️ |
✅ |
||||
| City | ✅☝️ |
✅ |
||||
| Postal Code | ✅☝️ |
✅ |
||||
| Street Address | ✅☝️ |
✅ |
||||
| External Custom Field 1-10 | ✅☝️ |
✅ |
||||
Filters
Note: Filters only work if this field is actually used for the contact.
| Search within | "All" Tab |
Configured Groups |
|||
|---|---|---|---|---|---|
Fields |
O365 Directory |
Outlook Address Book |
Nimbus Address Books |
Nimbus Services | All Sources |
City |
✅❗ |
✅ |
✅❗ |
✅ |
|
Company |
✅❗ |
✅ |
✅ |
||
Country |
✅❗ |
✅ |
✅❗ |
✅ |
|
Department |
✅❗ |
✅❗ |
✅ |
✅❗ |
✅ |
Initials |
✅ |
✅ |
|||
Job Title |
✅❗ |
✅❗ |
✅ |
✅❗ |
✅ |
Postal Code |
✅❗ |
✅ |
✅❗ |
✅ |
|
State |
✅❗ |
✅ |
✅❗ |
✅ |
|
Street Address |
✅❗ |
✅ |
✅❗ |
✅ |
|
Note |
✅ |
✅ |
✅ |
✅ |
✅ |