Permissions for Service provisioning
When using Microsoft PowerShell to provision new Nimbus services, the following permissions are granted automatically:
|Component||When are permissions granted||Purpose|
|Nimbus App||on each run of the script/runbook||Retrieves information about MS Teams users, their team memberships and roles, group memberships|
|Calling Bot||on each run of the script or when the new team is created by runbook||Responsible for the team calls (regardless of team/workflow configuration)|
|Media Bot||on each run of the script/runbook||Allows to make Voice Message recordings|
If not already granted by a Tenant administrator additional Required User Permissions may requested from each service user individually upon first login to Nimbus. Not granting these permissions may affect internal user search fields such as the one in Attendant Console.
The Microsoft.Graph.* modules which are used by the Provisioning Script require permissions that need to be granted for the Microsoft Graph PowerShell Enterprise application:
|Permission||Permission Type||Granted By||Purpose|
|Application.ReadWrite.All||Delegated||Tenant Admin||Read and write all applications|
|AppRoleAssignment.ReadWrite.All||Delegated||Tenant Admin||Manage app permission grants and app role assignments|
|DelegatePermissionGrant.ReadWrite.All||Delegated||Tenant Admin||Manage all delegated permission grants|
|Domain.Read.All||Delegated||Tenant Admin||Read domains|
|Organization.Read.All||Delegated||Tenant Admin||Read organization information|
|Users.ReadWrite.All||Delegated||Tenant Admin||Read and write all users' full profiles|
|openid||Delegated||Tenant Admin||Sign users in|
|profile||Delegated||Tenant Admin||View users's basic profile|
|offline_access||Delegated||Tenant Admin||Maintain access to data you have given it access to|
Permissions by Products / Features
|Permission||Permission Type||Granted By|
|Purpose / Usage Scenario|
|Calls.AccessMedia.All||Application||Tenant Admin||yes||yes||yes||-||-||-||Calling Bot - DTMF tones|
Media Bot - Record VM
|Calls.Initiate.All||Application||Tenant Admin||yes||yes||yes||-||-||-||Calling Bot - Contact Users (Distribute Calls)|
|Calls.InitiateGroupCall.All||Application||Tenant Admin||yes||yes||yes||-||yes||-||Calling Bot - Contact Users (Distribute Calls)|
Interact - Contact Users (Distribute Calls)
|Calls.JoinGroupCall.All||Application||Tenant Admin||yes||yes||yes||-||yes||-||Calling Bot - Join an escalated Call|
Media Bot - Join an escalated Call
Interact - Join a Meeting Call
|Channel.ReadBasic.All||Application||Tenant Admin||yes||yes||yes||-||-||-||Nimbus App - Get Channels to post Adaptive (Voice Message) Cards.|
|GroupMember.Read.All||Application||Tenant Admin||yes||yes||yes||-||-||-||Nimbus App - Get Team Members|
Nimbus App - Read Security Groups
Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to.
|OnlineMeetings.Read.All||Application||Tenant Admin||-||-||-||-||yes||-||Interact - Read online Meeting details|
|OnlineMeetings.ReadWrite.All||Application||Tenant Admin||-||-||-||-||yes||-||Interact - Read and create online meetings|
|User.Read.All||Application||Tenant Admin - Nimbus App|
User - Nimbus UI
Nimbus App - Get CallerInformation
Why is this necessary? Nimbus reads the complete profile of all users to determine group memberships within the organization. Nimbus needs this information to correctly identify users via search (→ also see "Covered Search Fields" chapter below).
Note: Nimbus does not store any of the exchanged data. The permissions are primarily used to display live data during daily usage of the product.
|Presence.Read.All||Delegated||Tenant Admin||yes||yes||yes||-||-||-||Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts.|
Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts.
|User.ReadBasic.All||Delegated||Tenant Admin||yes||yes||yes||-||-||-||Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts.|
|Calendars.Read||Delegated||User||-||-||-||yes||-||-||Attendant Console - Read Calendar of the logged-in user show Calendar with appointments|
|Calendars.Read.Shared||Delegated||User||-||-||-||yes||-||-||Attendant Console - Read Shared Calendars to show Calendar with appointments|
|Contacts.Read||Delegated||User||-||-||-||yes||-||-||Attendant Console - Search in the Exchange Contacts of the logged-in user|
|Contacts.Read.Shared||Delegated||User||-||-||-||yes||-||-||Attendant Console - Search in the Shared Exchange Contacts|
|Presence.Read.All||Delegated||User||-||-||-||yes||-||-||Attendant Console - Show Presence in Contact Search on Attendant Console page|
|User.Read||Delegated||User||yes||yes||yes||-||-||-||Nimbus App - Get user information (from logged in user)|
|User.ReadBasic.All||Delegated||User||yes||yes||yes||-||-||-||Nimbus App - Limited user search. Nimbus needs to know the channels/channels of the logged in user.|
|Teams.ManageCalls||Delegated||User||-||-||-||-||-||yes||Assistant App - Manage calls in Teams through ACS|
|Teams.ManageChat||Delegated||User||-||-||-||-||-||yes||Assistant App - Manage chat in Teams through ACS|
|User.Read.All||Delegated||Tenant Admin||-||-||-||-||-||yes||Assistant App - Read all users' full profile|
|Presence.Read||Delegated||User||-||-||-||-||-||yes||Assistant App - Read users' presence information|
Covered Search Fields
Nimbus uses User.Read.All permissions to cover the following search fields. The sources searched are:
- Nimbus internal Address Books.
- Your O365 Tenant Directory.
- Exchange (individual user Address books). If not granted by the Tenant Admin, User Permissions need to be granted individually.
|Searchable Fields and Filters||Nimbus |
(User Address Book)
KNOWN LIMITATION The search covers the predefined Nimbus Address Books fields, but no custom-fields can currently be searched. We are working to gradually alleviate this situation and make the search experience more consistent.
Fields are supported by search.
Fields additionally support "CONTAINS" as search operator.
These fields have additional Filter capabilities. An "Advanced Search" (User.Read.All) permission must be granted by a Tenant Admin to use this feature.
|User Principal Name|
Search permissions are primarily required for Attendant Console and Outbound Service Call / Call On Behalf functionalities.
The following permissions are required when you need to provision multiple teams via Runbook.
Microsoft.Web/connections/write Microsoft.Logic/workflows/write Microsoft.Automation/automationAccounts/write Microsoft.Automation/automationAccounts/variables/write Microsoft.Automation/automationAccounts/credentials/write Microsoft.Automation/automationAccounts/runbooks/write Microsoft.Automation/automationAccounts/modules/write Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/*