Permissions for Service provisioning

When using Microsoft PowerShell to provision new Nimbus services, the following permissions are granted automatically

ComponentWhen are permissions grantedPurpose
Nimbus Appon each run of the script/runbookRetrieves information about MS Teams users, their team memberships and roles, group memberships
Calling Boton each run of the script or when the new team is created by runbookResponsible for the team calls (regardless of team/workflow configuration)
Media Boton each run of the script/runbookAllows to make Voice Message recordings

(info) If not already granted by a Tenant administrator additional Required User Permissions may requested from each service user individually upon first login to Nimbus. Not granting these permissions may affect internal user search fields such as the one in Attendant Console

The Microsoft.Graph.* modules which are used by the Provisioning Script require permissions that need to be granted for the Microsoft Graph PowerShell Enterprise application: 

PermissionPermission TypeGranted ByPurpose
Application.ReadWrite.AllDelegatedTenant AdminRead and write all applications
AppRoleAssignment.ReadWrite.AllDelegatedTenant AdminManage app permission grants and app role assignments
DelegatePermissionGrant.ReadWrite.AllDelegatedTenant AdminManage all delegated permission grants
Domain.Read.AllDelegatedTenant AdminRead domains
Organization.Read.AllDelegatedTenant AdminRead organization information
Users.ReadWrite.AllDelegatedTenant AdminRead and write all users' full profiles
openidDelegatedTenant AdminSign users in
profileDelegatedTenant AdminView users's basic profile
offline_accessDelegatedTenant AdminMaintain access to data you have given it access to

Permissions by Products / Features

PermissionPermission TypeGranted By

Advanced Routing

Enterprise Routing

Contact Center

Attendant Console

Interact

Assistant

Purpose / Usage Scenario
Calls.AccessMedia.AllApplicationTenant Adminyesyesyes---Calling Bot - DTMF tones
Media Bot - Record VM
Calls.Initiate.AllApplicationTenant Adminyesyesyes---Calling Bot - Contact Users (Distribute Calls)
Calls.InitiateGroupCall.AllApplicationTenant Adminyesyesyes-yes-Calling Bot - Contact Users (Distribute Calls)
Interact - Contact Users (Distribute Calls)
Calls.JoinGroupCall.AllApplicationTenant Adminyesyesyes-yes-Calling Bot - Join an escalated Call
Media Bot - Join an escalated Call
Interact - Join a Meeting Call
Channel.ReadBasic.AllApplicationTenant Adminyesyesyes---Nimbus App - Get Channels to post Adaptive (Voice Message) Cards.
GroupMember.Read.AllApplicationTenant Adminyesyesyes---Nimbus App  - Get Team Members
Nimbus App  - Read Security Groups
Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to.
OnlineMeetings.Read.AllApplicationTenant Admin----yes-Interact - Read online Meeting details
OnlineMeetings.ReadWrite.AllApplicationTenant Admin----yes-Interact - Read and create online meetings
User.Read.AllApplicationTenant Admin - Nimbus App
User - Nimbus UI		yesyesyes-yes-

Nimbus App - Get CallerInformation
Nimbus UI - Full Search Users
Interact - Get CallerInformation

(question) Why is this necessary? Nimbus reads the complete profile of all users to determine group memberships within the organization. Nimbus needs this information to correctly identify users via search (→ also see "Covered Search Fields" chapter below).
The presence status of MS Teams users is also determined this way, which is used for call distribution.

(info) Note: Nimbus does not store any of the exchanged data. The permissions are primarily used to display live data during daily usage of the product. 


Presence.Read.AllDelegatedTenant Adminyesyesyes---Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts.
User.ReadDelegatedTenant Adminyesyesyes--yes

Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts.

User.ReadBasic.AllDelegatedTenant Adminyesyesyes---Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts.
Calendars.ReadDelegatedUser---yes--Attendant Console - Read Calendar of the logged-in user show Calendar with appointments
Calendars.Read.SharedDelegatedUser---yes--Attendant Console - Read Shared Calendars to show Calendar with appointments
Contacts.ReadDelegatedUser---yes--Attendant Console -  Search in the Exchange Contacts of the logged-in user
Contacts.Read.SharedDelegatedUser---yes--Attendant Console -  Search in the Shared Exchange Contacts
Presence.Read.AllDelegatedUser---yes--Attendant Console - Show Presence in Contact Search on Attendant Console page
User.ReadDelegatedUseryesyesyes---Nimbus App - Get user information (from logged in user)
User.ReadBasic.AllDelegatedUseryesyesyes---Nimbus App - Limited user search. Nimbus needs to know the channels/channels of the logged in user. 
Teams.ManageCallsDelegatedUser---- - yesAssistant App - Manage calls in Teams through ACS
Teams.ManageChatDelegatedUser---- - yesAssistant App - Manage chat in Teams through ACS
User.Read.AllDelegatedTenant Admin---- - yesAssistant App - Read all users' full profile
Presence.ReadDelegatedUser---- - yesAssistant App - Read users' presence information

Covered Search Fields

Nimbus uses User.Read.All permissions to cover the following search fields. The sources searched are: 

  • Nimbus internal Address Books.
  • Your O365 Tenant Directory.
  • Exchange (individual user Address books). (info) If not granted by the Tenant Admin, User Permissions need to be granted individually.


Fields covered by Nimbus user search
Searchable Fields and FiltersNimbus
Address Book		O365
Tenant Directory		Exchange
(User Address Book)		Notes
Display Name(tick) (info)(tick) (tick) (info)

KNOWN LIMITATION The search covers the predefined Nimbus Address Books fields, but no custom-fields can currently be searched. We are working to gradually alleviate this situation and make the search experience more consistent.

(tick) Fields are supported by search.

(info) Fields additionally support "CONTAINS" as search operator.

Example: Searching for 'cha' will not only find 'Chadwick' but also 'Michael' 

 (plus) These fields have additional Filter capabilities. An "Advanced Search" (User.Read.All) permission must be granted by a Tenant Admin to use this feature.


Given Name
(tick) 
First Name(tick) (info)

Last Name(tick) (info)

Initials(tick) (info)

Surname
(tick) 
Mail (tick) (info) (tick) (tick)
User Principal Name (tick) (info) (tick) 
Job Title(tick) (info) (plus) (tick) (tick) (info)
Business Phones (tick) (info) 

Home Phones (tick) (info)

Mobile Phones (tick) (info)

IM Address (tick) (info)

Department (tick) (info)

Street(tick) (info)

City(tick) (info) (plus) (tick) (plus)
Company(tick) (info) (plus)
(tick) (plus) 
Country(tick) (info) (plus) (tick) (plus)
Department(tick) (info) (plus) (tick) (plus) (tick) (plus) 
State(tick) (info) (plus) (tick) (plus)  
Postal Code(tick) (info)

(lightbulb) Search permissions are primarily required for Attendant Console and Outbound Service Call / Call On Behalf functionalities.

Runbook Permissions

The following permissions are required when you need to provision multiple teams via Runbook.

Microsoft.Web/connections/write
Microsoft.Logic/workflows/write

Microsoft.Automation/automationAccounts/write
Microsoft.Automation/automationAccounts/variables/write
Microsoft.Automation/automationAccounts/credentials/write
Microsoft.Automation/automationAccounts/runbooks/write
Microsoft.Automation/automationAccounts/modules/write

Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/*
CODE