Required App Permissions
Permissions for Service provisioning
When using Microsoft PowerShell to provision new Nimbus services, the following permissions are granted automatically:
| Component | When are permissions granted | Purpose |
|---|---|---|
| Nimbus App | on each run of the script | Retrieves information about MS Teams users, their team memberships and roles, group memberships |
| Calling Bot | on each run of the script | Responsible for the team calls (regardless of team/workflow configuration) |
| Media Bot | on each run of the script | Allows to make Voice Message recordings |
| Chat Bot | in User Preferences (Portal) once by the user to register with the bot. No additional permissions are needed. | Relay service-related chat messages via adaptive cards. |
If not already granted by a Tenant administrator additional Required User Permissions may requested from each service user individually upon first login to Nimbus. Not granting these permissions may affect internal user search fields such as the one in Attendant Console.
The Microsoft.Graph.* modules which are used by the Provisioning Script require permissions that need to be granted for the Microsoft Graph PowerShell Enterprise application:
| Permission | Permission Type | Granted By | Purpose |
|---|---|---|---|
| Application.ReadWrite.All | Delegated | Tenant Admin | Read and write all applications |
| AppRoleAssignment.ReadWrite.All | Delegated | Tenant Admin | Manage app permission grants and app role assignments |
| DelegatePermissionGrant.ReadWrite.All | Delegated | Tenant Admin | Manage all delegated permission grants |
| Domain.Read.All | Delegated | Tenant Admin | Read domains |
| Organization.Read.All | Delegated | Tenant Admin | Read organization information |
| Users.ReadWrite.All | Delegated | Tenant Admin | Read and write all users' full profiles |
| openid | Delegated | Tenant Admin | Sign users in |
| profile | Delegated | Tenant Admin | View users's basic profile |
| offline_access | Delegated | Tenant Admin | Maintain access to data you have given it access to |
Permissions by Products / Features
| Permission | Permission Type | Granted By |
Advanced Routing |
Enterprise Routing |
Contact Center |
Attendant Console |
Interact |
Assistant | Purpose / Usage Scenario |
|---|---|---|---|---|---|---|---|---|---|
| Calls.AccessMedia.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Calling Bot - DTMF tones Media Bot - Record VM |
| Calls.Initiate.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Calling Bot - Contact Users (Distribute Calls) |
| Calls.InitiateGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Calling Bot - Contact Users (Distribute Calls) Interact - Contact Users (Distribute Calls) |
| Calls.JoinGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Calling Bot - Join an escalated Call Media Bot - Join an escalated Call Interact - Join a Meeting Call |
| Channel.ReadBasic.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Get Channels to post Adaptive (Voice Message) Cards. |
| GroupMember.Read.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Get Team Members Nimbus App - Read Security Groups Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. |
| OnlineMeetings.Read.All | Application | Tenant Admin | - | - | - | - | yes | - | Interact - Read online Meeting details |
| OnlineMeetings.ReadWrite.All | Application | Tenant Admin | - | - | - | - | yes | - | Interact - Read and create online meetings |
| User.Read.All | Application | Tenant Admin - Nimbus App User - Nimbus UI | yes | yes | yes | - | yes | - | Nimbus App - Get CallerInformation
|
| | |||||||||
| Presence.Read.All | Delegated | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts. |
| User.Read | Delegated | Tenant Admin | yes | yes | yes | - | - | yes | Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts. |
| User.ReadBasic.All | Delegated | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts. |
| Calendars.Read | Delegated | User | - | - | - | yes | - | - | Attendant Console - Read Calendar of the logged-in user show Calendar with appointments |
| Calendars.Read.Shared | Delegated | User | - | - | - | yes | - | - | Attendant Console - Read Shared Calendars to show Calendar with appointments |
| Contacts.Read | Delegated | User | - | - | - | yes | - | - | Attendant Console - Search in the Exchange Contacts of the logged-in user |
| Contacts.Read.Shared | Delegated | User | - | - | - | yes | - | - | Attendant Console - Search in the Shared Exchange Contacts |
| Presence.Read.All | Delegated | User | - | - | - | yes | - | - | Attendant Console - Show Presence in Contact Search on Attendant Console page |
| User.Read | Delegated | User | yes | yes | yes | - | - | - | Nimbus App - Get user information (from logged in user) |
| User.ReadBasic.All | Delegated | User | yes | yes | yes | - | - | - | Nimbus App - Limited user search. Nimbus needs to know the channels/channels of the logged in user. |
| Teams.ManageCalls | Delegated | User | - | - | - | - | - | yes | Assistant App - Manage calls in Teams through ACS |
| Teams.ManageChat | Delegated | User | - | - | - | - | - | yes | Assistant App - Manage chat in Teams through ACS |
| User.Read.All | Delegated | Tenant Admin | - | - | - | - | - | yes | Assistant App - Read all users' full profile |
| Presence.Read | Delegated | User | - | - | - | - | - | yes | Assistant App - Read users' presence information |
Why is this necessary? Nimbus reads the complete profile of all users to determine group memberships within the organization. Nimbus needs this information to correctly identify users via search (→ also see "Covered Search Fields" chapter below). Covered Search Fields
Nimbus uses User.Read.All permissions to cover the following search fields. The sources searched are:
- Nimbus internal Address Books.
- Your O365 Tenant Directory.
- Exchange (individual user Address books). If not granted by the Tenant Admin, User Permissions need to be granted individually.
| Searchable Fields and Filters | Nimbus Address Book | O365 Tenant Directory | Exchange (User Address Book) | Notes |
|---|---|---|---|---|
| Display Name |  | | | KNOWN LIMITATION The search covers the predefined Nimbus Address Books fields, but no custom-fields can currently be searched. We are working to gradually alleviate this situation and make the search experience more consistent.
|
| Given Name | | |||
| First Name | | |||
| Last Name | | |||
| Initials | | |||
| Surname | | |||
| | | | ||
| User Principal Name | | | ||
| Job Title |  |  | | |
| Business Phones | | |||
| Home Phones | | |||
| Mobile Phones | | |||
| IM Address | | |||
| Street | | |||
| City | | | ||
| Company | | | ||
| Country | | | ||
| Department | | | | |
| State | | | ||
| Postal Code | |
Search permissions are primarily required for Attendant Console and Outbound Service Call / Call On Behalf functionalities.