When using either Microsoft Runbook or Microsoft PowerShell the following permissions are granted automatically

ComponentPermissions grantedPurpose
Nimbus Appon each run of the script/runbookRetrieves information about MS Teams users, their team memberships and roles, group memberships
Team Boton each run of the script or when the new team is created by runbookResponsible for the team calls (regardless of team/workflow configuration)

Media Bot

on each run of the script/runbookAllows to make Voice Message recordings

(info) Team users or Tenant admins can manually grant further rights via the Service Settings. These permissions are mostly needed for additional features such as Attendant Console.


Permissions required for operation

PermissionNimbus AppTeam BotMedia BotNimbus UIPermission TypeNeeded for
Can be granted byTenant AdminUser

Calls.AccessMedia.All

-(tick)(tick)-Application

Team Bot - DTMF tones
MediaBot - Record VM

Calls.Initiate.All

-(tick)--ApplicationTeam Bot - Contact Users (Distribute Calls)

Calls.InitiateGroupCall.All

-(tick)--ApplicationTeam Bot - Contact Users (Distribute Calls)

Calls.JoinGroupCall.All

-(tick)(tick)-ApplicationJoin an escalated Call

Group.Read.All

(tick)---ApplicationGet Team Members, Read Security Groups

User.Read.All

(tick)--(tick)ApplicationNimbus App - Get CallerInformation
Nimbus UI - Full Search Users

Calendars.Read

---(tick)DelegatedAttendant Console: Read Calendar of the logged-in user show Calendar with appointments

Calendars.Read.Shared

---(tick)DelegatedAttendant Console: Read Shared Calendars to show Calendar with appointments

Contacts.Read

---(tick)DelegatedAttendant Console: Search in the Exchange Contacts of the logged-in user

Contacts.Read.Shared

---(tick)DelegatedAttendant Console:  Search in the Shared Exchange Contacts

Presence.Read.All

---(tick)DelegatedShow Presence in Contact Search on Attendant Console page

User.Read

---(tick)DelegatedGet UserInformation (from logged in user)

User.ReadBasic.All

---(tick)DelegatedLimited User Search

Runbook Permissions

The following permissions are required when you need to provision multiple teams via Runbook.

Microsoft.Web/connections/write
Microsoft.Logic/workflows/write

Microsoft.Automation/automationAccounts/write
Microsoft.Automation/automationAccounts/variables/write
Microsoft.Automation/automationAccounts/credentials/write
Microsoft.Automation/automationAccounts/runbooks/write
Microsoft.Automation/automationAccounts/modules/write

Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/*
CODE

Note: There are also Required User Permissions that need to be granted individually by each Nimbus service user.