When using either Microsoft Runbook or Microsoft PowerShell the following permissions are granted automatically

ComponentPermissions grantedPurpose
Nimbus Appon each run of the script/runbookRetrieves information about MS Teams users, their team memberships and roles, group memberships
Calling Boton each run of the script or when the new team is created by runbookResponsible for the team calls (regardless of team/workflow configuration)

Media Bot

on each run of the script/runbookAllows to make Voice Message recordings

(info) If not already granted by a Tenant administrator additional Required User Permissions may requested from each service user individually upon first login to Nimbus. Not granting these permissions may affect internal user search fields such as the one in Attendant Console

Permissions by Products / Features

PermissionPermission TypeGranted By

Advanced Routing

Enterprise Routing

Contact Center

Attendant Console


Purpose / Usage Scenario
Calls.AccessMedia.AllApplicationTenant Adminyesyesyes--Calling Bot - DTMF tones
Media Bot - Record VM
Calls.Initiate.AllApplicationTenant Adminyesyesyes--Calling Bot - Contact Users (Distribute Calls)
Calls.InitiateGroupCall.AllApplicationTenant Adminyesyesyes-yesCalling Bot - Contact Users (Distribute Calls)
Interact - Contact Users (Distribute Calls)
Calls.JoinGroupCall.AllApplicationTenant Adminyesyesyes-yesCalling Bot - Join an escalated Call
Media Bot - Join an escalated Call
Interact - Join a Meeting Call
Channel.ReadBasic.AllApplicationTenant Adminyesyesyes--Nimbus App - Get Channels to post Adaptive (Voice Message) Cards.
GroupMember.Read.AllApplicationTenant Adminyesyesyes--Nimbus App  - Get Team Members
Nimbus App  - Read Security Groups
Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to.
OnlineMeetings.Read.AllApplicationTenant Admin----yesInteract - Read online Meeting details
OnlineMeetings.ReadWrite.AllApplicationTenant Admin----yesInteract - Read and create online meetings
User.Read.AllApplicationTenant Admin - Nimbus App
User - Nimbus UI

Nimbus App - Get CallerInformation
Nimbus UI - Full Search Users
Interact - Get CallerInformation

(question) Why is this necessary? Nimbus reads the complete profile of all users to determine group memberships within the organization. Nimbus needs this information to correctly identify users via search. The presence status of MS Teams users is also determined this way, which is used for call distribution.

(info) Note: Nimbus does not store any of the exchanged data. The permissions are primarily used to display live data during daily usage of the product.

Presence.Read.AllDelegatedTenant Adminyesyesyes--Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts.
User.ReadDelegatedTenant Adminyesyesyes--

Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts.

User.ReadBasic.AllDelegatedTenant Adminyesyesyes--Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts.
Calendars.ReadDelegatedUser---yes-Attendant Console - Read Calendar of the logged-in user show Calendar with appointments
Calendars.Read.SharedDelegatedUser---yes-Attendant Console - Read Shared Calendars to show Calendar with appointments
Contacts.ReadDelegatedUser---yes-Attendant Console -  Search in the Exchange Contacts of the logged-in user
Contacts.Read.SharedDelegatedUser---yes-Attendant Console -  Search in the Shared Exchange Contacts
Presence.Read.AllDelegatedUser---yes-Attendant Console - Show Presence in Contact Search on Attendant Console page
User.ReadDelegatedUseryesyesyes--Nimbus App - Get user information (from logged in user)
User.ReadBasic.AllDelegatedUseryesyesyes--Nimbus App - Limited user search. Nimbus needs to know the channels/channels of the logged in user. 

Runbook Permissions

The following permissions are required when you need to provision multiple teams via Runbook.