Tenant Admins: Please read carefully
Permissions described on this page are needed for daily operation of Nimbus and affiliated apps and components. Before you start your Nimbus Installation, please read the following page carefully to get a clear understanding on which delegated / app permissions are used to establish Nimbus functionality on your tenant.
🔎 Nimbus uses Microsoft Graph to authenticate users and retrieve data via user-delegated and direct app-only permissions. You can learn more about this principle within the official Microsoft Graph Documentation.
Permissions for Service provisioning
When Provisioning new services via our PowerShell script, the following permissions are granted automatically:
| Component | When are permissions granted | Purpose |
|---|---|---|
| Nimbus App | on each run of the script | Retrieves information about MS Teams users, their team memberships and roles, group memberships |
| Calling Bot | on each run of the script | Responsible for the team calls (regardless of team/workflow configuration) |
| Media Bot | on each run of the script | Allows to make Voice Message recordings |
| Chat Bot | in User Preferences (Portal) once by the user to register with the bot. No additional permissions are needed. | Relay service-related chat messages via adaptive cards. |
Microsoft Graph PowerShell Permissions
The Microsoft.Graph.* modules which are used by the Provisioning Script require permissions that need to be granted for the Microsoft Graph PowerShell Enterprise application:
| Permission |
Permission Type |
Granted By | Purpose |
|---|---|---|---|
| Application.ReadWrite.All | Delegated | Tenant Admin | Read and write all applications |
| AppRoleAssignment.ReadWrite.All | Delegated | Tenant Admin | Manage app permission grants and app role assignments |
| DelegatePermissionGrant.ReadWrite.All | Delegated | Tenant Admin | Manage all delegated permission grants |
| Domain.Read.All | Delegated | Tenant Admin | Read domains |
| Organization.Read.All | Delegated | Tenant Admin | Read organization information |
| Users.ReadWrite.All | Delegated | Tenant Admin | Read and write all users' full profiles |
| openid | Delegated | Tenant Admin | Sign users in |
| profile | Delegated | Tenant Admin | View users's basic profile |
| offline_access | Delegated | Tenant Admin | Maintain access to data you have given it access |
Permissions by Products / Features
| Permission | Permission Type | Granted By | Advanced Routing | Enterprise Routing | Contact Center | Attendant Console | Interact | Assistant | Purpose / Usage Scenario |
|---|---|---|---|---|---|---|---|---|---|
| Calls.AccessMedia.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Calling Bot - DTMF tones Media Bot - Record VM |
| Calls.Initiate.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Calling Bot - Contact Users (Distribute Calls) |
| Calls.InitiateGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Calling Bot - Contact Users (Distribute Calls) Interact - Contact Users (Distribute Calls) |
| Calls.JoinGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Calling Bot - Join an escalated Call Media Bot - Join an escalated Call Interact - Join a Meeting Call |
| Channel.ReadBasic.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Get Channels to post Adaptive (Voice Message) Cards. |
| GroupMember.Read.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Get Team Members Nimbus App - Read Security Groups Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. |
| OnlineMeetings.Read.All | Application | Tenant Admin | - | - | - | - | yes | - | Interact - Read online Meeting details |
| OnlineMeetings.ReadWrite.All | Application | Tenant Admin | - | - | - | - | yes | - | Interact - Read and create online meetings |
| User.Read.All | Application | Tenant Admin - Nimbus App User - Nimbus UI |
yes | yes | yes | - | yes | - |
Nimbus App - Get CallerInformation 🤔 Why is this necessary? Nimbus reads the complete profile of all users to determine group memberships within the organization. Nimbus needs this information to correctly identify users via search (→ also see "Covered Search Fields" chapter below). 🔍 Note: Nimbus does not store any of the exchanged data. The permissions are primarily used to display live data during daily usage of the product. |
| Mail.ReadWrite | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Optional permission required for Mailboxes in order to enable Email Handling for services. |
| Mail.Send | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Optional permission required for Mailboxes in order to enable Email Handling for services. |
| Presence.Read.All | Delegated | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts. |
| User.Read | Delegated | Tenant Admin | yes | yes | yes | - | - | yes | Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts. |
| User.ReadBasic.All | Delegated | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Optional permission granted via Tenant Administration > "Presence Tracking" for external Azure guest accounts. |
| Calendars.Read | Delegated | User | - | - | - | yes | - | - | Attendant Console - Read Calendar of the logged-in user show Calendar with appointments |
| Calendars.Read.Shared | Delegated | User | - | - | - | yes | - | - | Attendant Console - Read Shared Calendars to show Calendar with appointments |
| Contacts.Read | Delegated | User | - | - | - | yes | - | - | Attendant Console - Search in the Exchange Contacts of the logged-in user |
| Contacts.Read.Shared | Delegated | User | - | - | - | yes | - | - | Attendant Console - Search in the Shared Exchange Contacts |
| Presence.Read.All | Delegated | User | - | - | - | yes | - | - | Attendant Console - Show Presence in Contact Search on Attendant Console page |
| User.Read | Delegated | User | yes | yes | yes | - | - | - | Nimbus App - Get user information (from logged in user) |
| User.ReadBasic.All | Delegated | User | yes | yes | yes | - | - | - | Nimbus App - Limited user search. Nimbus needs to know the channels/channels of the logged in user. |
| Teams.ManageCalls | Delegated | User | - | - | - | - | - | yes | Assistant App - Manage calls in Teams through ACS |
| Teams.ManageChat | Delegated | User | - | - | - | - | - | yes | Assistant App - Manage chat in Teams through ACS |
| User.Read.All | Delegated | Tenant Admin | - | - | - | - | - | yes | Assistant App - Read all users' full profile |
| Presence.Read | Delegated | User | - | - | - | - | - | yes | Assistant App - Read users' presence information |
User Search Permissions
Related: User Permissions
INC Supported User Search Fields
Required Permissions
☝ User.Read.All permissions must be granted to use this feature. As a Tenant Admin, head to the Nimbus Portal > User Preferences > Permissions "Tab" > Advanced Search and manage consent for your entire tenant. Read Required User Permissions for more details.
Legend
✅ Fields are supported by search.
🔍 Fields additionally support "CONTAINS" as search operator. Example: Searching for 'cha' will not only find 'Chadwick' but also 'Michael'
➕ These fields support Filter capabilities which can be used to narrow down a contact search in Attendant Console.
☝ KNOWN LIMITATION: The search covers the predefined Nimbus Address Books fields, but no custom-fields can currently be searched. We are working to gradually alleviate this situation and make the search experience more consistent.
| Searchable Field | Nimbus Address Books |
O365 Tenant Directory |
Exchange (User Address Book) |
Notes |
|---|---|---|---|---|
| Id | Nimbus internal entity ID | |||
| External.Id | ID the system where the entry was imported from. | |||
| Display Name | ✅ 🔍 | ✅ | ✅ 🔍 | Firstname / Lastname combination |
| Given Name | ✅ | First name | ||
| First Name | ✅ 🔍 | First name | ||
| Last Name | ✅ 🔍 | Last / Family name | ||
| Initials | ✅ 🔍 | Initials (e.g. "JK") | ||
| Surname | ✅ | Surname | ||
| ✅ 🔍 | ✅ | ✅ | Email Address | |
| User Principal Name | ✅ 🔍 | ✅ | Consists of: user name (logon name), separator (the @ symbol) and domain name (UPN suffix) | |
| Job Title | ✅ 🔍 ➕ | ✅ ➕ ☝ | ✅ 🔍 ➕ ☝ | Job Title |
| Business Phones | ✅ 🔍 | Business Phone | ||
| Home Phones | ✅ 🔍 | Home Phone | ||
| Mobile Phones | ✅ 🔍 | Mobile Phone | ||
| IM Address | ✅ 🔍 | IM SIP Address | ||
| Street | ✅ 🔍 | Streed Address | ||
| City | ✅ 🔍 ✅ | ✅ ➕ ☝ | Code and City | |
| Company | ✅ 🔍 ✅ | ✅ ➕ ☝ | Company | |
| Country | ✅ 🔍 ➕ | ✅ ➕ ☝ | Country of Origin | |
| Department | ✅ 🔍 ➕ | ✅ ➕ ☝ | ✅ ➕ ☝ | Department |
| State | ✅ 🔍 ➕ | ✅ ➕ ☝ | State | |
| Postal Code | ✅ 🔍 | Postal Code | ||
| Picture, binary | User Picture | |||
| External.CustomField1-10 | Custom Field |