Required Permissions
When using either Microsoft Runbook or Microsoft PowerShell the following permissions are granted automatically:
Component | Permissions granted | Purpose |
---|---|---|
Nimbus App | on each run of the script/runbook | Retrieves information about MS Teams users, their team memberships and roles, group memberships |
Calling Bot | on each run of the script or when the new team is created by runbook | Responsible for the team calls (regardless of team/workflow configuration) |
Media Bot | on each run of the script/runbook | Allows to make Voice Message recordings |
If not already granted by a Tenant administrator additional Required User Permissions may requested from each service user individually upon first login to Nimbus. Not granting these permissions may affect internal user search fields such as the one in Attendant Console.
Permissions by Products / Features
Permission | Permission Type | Granted By | Advanced Routing | Enterprise Routing | Contact Center | Attendant Console | Interact | Purpose / Usage Scenario |
---|---|---|---|---|---|---|---|---|
Calls.AccessMedia.All | Application | Tenant Admin | yes | yes | yes | - | - | Calling Bot - DTMF tones Media Bot - Record VM |
Calls.Initiate.All | Application | Tenant Admin | yes | yes | yes | - | - | Calling Bot - Contact Users (Distribute Calls) |
Calls.InitiateGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | Calling Bot - Contact Users (Distribute Calls) Interact - Contact Users (Distribute Calls) |
Calls.JoinGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | Calling Bot - Join an escalated Call Media Bot - Join an escalated Call Interact - Join a Meeting Call |
Channel.ReadBasic.All | Application | Tenant Admin | yes | yes | yes | - | - | Nimbus App - Get Channels to post Adaptive (Voice Message) Cards. |
GroupMember.Read.All | Application | Tenant Admin | yes | yes | yes | - | - | Nimbus App - Get Team Members Nimbus App - Read Security Groups Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. |
OnlineMeetings.Read.All | Application | Tenant Admin | - | - | - | - | yes | Interact - Read online Meeting details |
OnlineMeetings.ReadWrite.All | Application | Tenant Admin | - | - | - | - | yes | Interact - Read and create online meetings |
User.Read.All | Application | Tenant Admin - Nimbus App User - Nimbus UI | yes | yes | yes | - | yes | Nimbus App - Get CallerInformation
|
Presence.Read.All | Delegated | Tenant Admin | yes | yes | yes | - | - | Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts. |
User.Read | Delegated | Tenant Admin | yes | yes | yes | - | - | Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts. |
User.ReadBasic.All | Delegated | Tenant Admin | yes | yes | yes | - | - | Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts. |
Calendars.Read | Delegated | User | - | - | - | yes | - | Attendant Console - Read Calendar of the logged-in user show Calendar with appointments |
Calendars.Read.Shared | Delegated | User | - | - | - | yes | - | Attendant Console - Read Shared Calendars to show Calendar with appointments |
Contacts.Read | Delegated | User | - | - | - | yes | - | Attendant Console - Search in the Exchange Contacts of the logged-in user |
Contacts.Read.Shared | Delegated | User | - | - | - | yes | - | Attendant Console - Search in the Shared Exchange Contacts |
Presence.Read.All | Delegated | User | - | - | - | yes | - | Attendant Console - Show Presence in Contact Search on Attendant Console page |
User.Read | Delegated | User | yes | yes | yes | - | - | Nimbus App - Get user information (from logged in user) |
User.ReadBasic.All | Delegated | User | yes | yes | yes | - | - | Nimbus App - Limited user search. Nimbus needs to know the channels/channels of the logged in user. |
Runbook Permissions
The following permissions are required when you need to provision multiple teams via Runbook.
Microsoft.Web/connections/write
Microsoft.Logic/workflows/write
Microsoft.Automation/automationAccounts/write
Microsoft.Automation/automationAccounts/variables/write
Microsoft.Automation/automationAccounts/credentials/write
Microsoft.Automation/automationAccounts/runbooks/write
Microsoft.Automation/automationAccounts/modules/write
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/*