Tenant Admins: Please read carefully
Permissions described on this page are needed for daily operation of Nimbus and affiliated apps and components. Before you start your Nimbus Installation, please read the following page carefully to get a clear understanding on which delegated / app permissions are used to establish Nimbus functionality on your tenant.
🔎 Nimbus uses Microsoft Graph to authenticate users and retrieve data via user-delegated and direct app-only permissions. You can learn more about this principle within the official Microsoft Graph Documentation.
Permissions for Service provisioning
When Provisioning new services via our PowerShell script, the following components get permissions granted automatically:
| Component | When are permissions granted | Purpose |
|---|---|---|
| Nimbus App | on each run of the script | Retrieves information about MS Teams users, their team memberships and roles, group memberships, and presence states |
| Calling Bot | on each run of the script | Responsible for the team calls (regardless of team/workflow configuration) |
| Media Bot | on each run of the script | Allows to make voice message recordings |
| Chat Bot | in User Preferences (Portal) once by the user to register with the bot. No additional permissions are needed. | Relays service-related chat messages via adaptive cards. |
| Interact App | on each run of the script, but only when Interact is enabled | Needed for Interact. |
Microsoft Graph PowerShell Permissions
The Microsoft.Graph.* modules which are used by the Provisioning Script require the user to have the permissions that need to be granted for the Microsoft Graph PowerShell Enterprise application:
| Permission |
Permission Type |
Granted By | Purpose |
|---|---|---|---|
| Application.ReadWrite.All | Delegated | Tenant Admin | Read and write all applications |
| AppRoleAssignment.ReadWrite.All | Delegated | Tenant Admin | Manage app permission grants and app role assignments |
| DelegatePermissionGrant.ReadWrite.All | Delegated | Tenant Admin | Manage all delegated permission grants |
| Domain.Read.All | Delegated | Tenant Admin | Read domains |
| Organization.Read.All | Delegated | Tenant Admin | Read organization information |
| User.ReadWrite.All | Delegated | Tenant Admin | Read and write all users' full profiles |
| openid | Delegated | Tenant Admin | Sign users in |
| profile | Delegated | Tenant Admin | View user's basic profile |
| offline_access | Delegated | Tenant Admin | Maintain access to data you have given it access |
Permissions by Products/Features
Nimbus App
| Permission | Permission Type | Granted By | Advanced Routing | Enterprise Routing | Contact Center | Attendant Console | Interact | Assistant | Purpose / Usage Scenario |
|---|---|---|---|---|---|---|---|---|---|
| Channel.ReadBasic.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Get channels to post Adaptive (Voice Message) Cards. |
| GroupMember.Read.All | Application | Tenant Admin | yes | yes | yes | - | - | - |
Nimbus App - Get Team Members Allows the app to list groups, read basic group properties and read membership of all groups that the signed-in user has access to. |
| Mail.ReadWrite | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Optional permission required for Mailboxes in order to enable Email Handling for services. |
| Mail.Send | Application | Tenant Admin | yes | yes | yes | - | - | - | Nimbus App - Optional permission required for Mailboxes in order to enable Email Handling for services. |
| Presence.Read.All | Application | Tenant Admin | yes | yes | yes | - | - | - |
Nimbus App - Required permission for extended presence tracking, granted via Tenant Administration > “Presence Tracking” or by running the provisioning script as a Tenant Administrator. The presence status of MS Teams users is also determined this way, which is used for call distribution. |
| User.Read | Delegated | User | yes | yes | yes | - | - | - | Nimbus App - Get user information (from logged-in user) |
| User.Read.All | Application | Tenant Admin | yes | yes | yes | - | yes | - |
Nimbus App - Get CallerInformation 🤔 Why is this necessary? Nimbus reads the complete profile of all users to determine group memberships within the organization. Nimbus needs this information to correctly identify users via search (→ also see "User Search Permissions" section below). 🔍 Note: Nimbus does not store any of the exchanged data. The permissions are primarily used to display live data during the daily usage of the product. |
| User.ReadBasic.All | Delegated | User | yes | yes | yes | - | - | - | Nimbus App - Limited user search. Nimbus needs to know the channels of the logged-in user. |
Calling Bot
| Permission | Permission Type | Granted By | Advanced Routing | Enterprise Routing | Contact Center | Attendant Console | Interact | Assistant | Purpose / Usage Scenario |
|---|---|---|---|---|---|---|---|---|---|
| Calls.AccessMedia.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Calling Bot - DTMF tones |
| Calls.Initiate.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Calling Bot - Contact users (distribute calls) |
| Calls.InitiateGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Calling Bot - Contact users (distribute calls) |
| Calls.JoinGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Calling Bot - Join an escalated |
Media Bot
| Permission | Permission Type | Granted By | Advanced Routing | Enterprise Routing | Contact Center | Attendant Console | Interact | Assistant | Purpose / Usage Scenario |
|---|---|---|---|---|---|---|---|---|---|
| Calls.AccessMedia.All | Application | Tenant Admin | yes | yes | yes | - | - | - | Media Bot - Record voice messages |
| Calls.JoinGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Media Bot - Join an escalated call |
Interact App
| Permission | Permission Type | Granted By | Advanced Routing | Enterprise Routing | Contact Center | Attendant Console | Interact | Assistant | Purpose / Usage Scenario |
|---|---|---|---|---|---|---|---|---|---|
| Calls.InitiateGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Interact App - Contact users (distribute calls) |
| Calls.JoinGroupCall.All | Application | Tenant Admin | yes | yes | yes | - | yes | - | Interact App - Join a meeting call |
| OnlineMeetingArtifact.Read.All | Application | Tenant Admin | - | - | - | - | yes | - | Interact App - Fetch online meeting artifacts |
| OnlineMeetings.Read.All | Application | Tenant Admin | - | - | - | - | yes | - | Interact App - Read online meeting details |
| OnlineMeetings.ReadWrite.All | Application | Tenant Admin | - | - | - | - | yes | - | Interact App - Read and create online meetings |
Assistant App
| Permission | Permission Type | Granted By | Advanced Routing | Enterprise Routing | Contact Center | Attendant Console | Interact | Assistant | Purpose / Usage Scenario |
|---|---|---|---|---|---|---|---|---|---|
| Teams.ManageCalls | Delegated | User | - | - | - | - | - | yes | Assistant App - Manage calls in Teams through ACS |
| Teams.ManageChat | Delegated | User | - | - | - | - | - | yes | Assistant App - Manage chat in Teams through ACS |
| User.Read.All | Delegated | Tenant Admin | - | - | - | - | - | yes | Assistant App - Read all users' full profile |
| Presence.Read | Delegated | User | - | - | - | - | - | yes | Assistant App - Read users' presence information |
Attendant Console
| Permission | Permission Type | Granted By | Advanced Routing | Enterprise Routing | Contact Center | Attendant Console | Interact | Assistant | Purpose / Usage Scenario |
|---|---|---|---|---|---|---|---|---|---|
| Calendars.Read | Delegated | User | - | - | - | yes | - | - | Attendant Console - Read calendar of the logged-in user show calendar with appointments |
| Calendars.Read.Shared | Delegated | User | - | - | - | yes | - | - | Attendant Console - Read shared calendars to show calendar with appointments |
| Contacts.Read | Delegated | User | - | - | - | yes | - | - | Attendant Console - Search in the exchange contacts of the logged-in user |
| Contacts.Read.Shared | Delegated | User | - | - | - | yes | - | - | Attendant Console - Search in the shared exchange contacts |
| Presence.Read.All | Delegated | Tenant Admin | - | - | - | yes | - | - | Attendant Console - Show presence in contact search on Attendant Console page |
User Search Permissions
Related: User Permissions
INC Supported User Search Fields
Required Permissions
☝ User.Read.All permissions must be granted to use this feature. As a Tenant Admin, head to the Nimbus Portal > User Preferences > Permissions "Tab" > Advanced Search and manage consent for your entire tenant. Read Required User Permissions for more details.
Legend
✅ Fields are supported by search.
🔍 Fields additionally support "CONTAINS" as search operator. Example: Searching for 'cha' will not only find 'Chadwick' but also 'Michael'
➕ These fields support Filter capabilities which can be used to narrow down a contact search in Attendant Console.
☝ KNOWN LIMITATION: The search covers the predefined Nimbus Address Books fields, but no custom-fields can currently be searched. We are working to gradually alleviate this situation and make the search experience more consistent.
| Searchable Field | Nimbus Address Books |
O365 Tenant Directory |
Exchange (User Address Book) |
Notes |
|---|---|---|---|---|
| Id | Nimbus internal entity ID | |||
| External.Id | ID the system where the entry was imported from. | |||
| Display Name | ✅ 🔍 | ✅ | ✅ 🔍 | Firstname / Lastname combination |
| Given Name | ✅ | First name | ||
| First Name | ✅ 🔍 | First name | ||
| Last Name | ✅ 🔍 | Last / Family name | ||
| Initials | ✅ 🔍 | Initials (e.g. "JK") | ||
| Surname | ✅ | Surname | ||
| ✅ 🔍 | ✅ | ✅ | Email Address | |
| User Principal Name | ✅ 🔍 | ✅ | Consists of: user name (logon name), separator (the @ symbol) and domain name (UPN suffix) | |
| Job Title | ✅ 🔍 ➕ | ✅ ➕ ☝ | ✅ 🔍 ➕ ☝ | Job Title |
| Business Phones | ✅ 🔍 | Business Phone | ||
| Home Phones | ✅ 🔍 | Home Phone | ||
| Mobile Phones | ✅ 🔍 | Mobile Phone | ||
| IM Address | ✅ 🔍 | IM SIP Address | ||
| Street | ✅ 🔍 | Streed Address | ||
| City | ✅ 🔍 ✅ | ✅ ➕ ☝ | Code and City | |
| Company | ✅ 🔍 ✅ | ✅ ➕ ☝ | Company | |
| Country | ✅ 🔍 ➕ | ✅ ➕ ☝ | Country of Origin | |
| Department | ✅ 🔍 ➕ | ✅ ➕ ☝ | ✅ ➕ ☝ | Department |
| State | ✅ 🔍 ➕ | ✅ ➕ ☝ | State | |
| Postal Code | ✅ 🔍 | Postal Code | ||
| Picture, binary | User Picture | |||
| External.CustomField1-10 | Custom Field |