Table of contents
- Microsoft application permissions – skybow M365 Connectors
- Microsoft API access - Azure AD-secured APIs from SharePoint Framework components and scripts
Additional permissions may be required for specific functions or action types to get them to work. Which ones they are and where they are used is described further in the article.
Microsoft application permissions - skybow M365 Connectors
Microsoft Application Permissions are used for the execution of some Scheduled and Triggered actions in the background. When adding an M365 action for the first time, there is a link to approve it:
The skybow M365 Connectors need to be approved per tenant and per solution by a global administrator. For more security it is also required to approve the sites where the configured actions can be used:
There are 6 different connectors for now to split the requested permissions for certain MS Graph APIs. Each connector has to be trusted with all it’s permission levels and cannot be granted more granular.
skybow Exchange Connector
| API name | Permission | Used in actions | |
| Microsoft Graph | Mail.Send | Allows the app to send emails from a mailbox specified by the administrator | - Send email |
After approving this app, it requires a global admin to provide an email sender that will be used for sending emails in the background actions. (Scheduled and triggered actions)
skybow Compliance Connector
| API name | Permission | Used in actions | |
| Microsoft Graph | RecordsManagement.ReadWrite.All | Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies without the signed in user. | - Apply retention label - Create retention label |
skybow Groups Connector
| API name | Permission | Used in actions | |
| Microsoft Graph | Contacts.ReadWrite | Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. | - Add group to lifecycle policy
- Create group - Delete group - Get group activity - Set group lifecycle policy - Update group |
| Microsoft Graph | Directory.ReadWrite.All | Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. | |
| Microsoft Graph | Group.ReadWrite.All | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. | |
| Microsoft Graph | GroupMember.ReadWrite.All | Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. | |
| Microsoft Graph | Reports.Read.All |
Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. | |
| Microsoft Graph |
User.Read.All |
Allows the app to read user profiles without a signed in user. |
skybow Teams Connector
| API name | Permission | Used in actions | |
| Microsoft Graph | AppCatalog.Read.All | Allows the app to read apps in the app catalogs without a signed-in user. |
- Add members to channel - Add members to tag - Add members to team - Clone channel - Clone team - Create channel - Create invite - Create meeting - Create tab - Create tag - Create team - Create team from existing group - Delete meeting - Get channel - Get meetings - Get team - Remove members from channel - Remove members from tag - Remove members from team - Send message - Update channel - Update meeting - Update tab - Update tag - Update team |
| Microsoft Graph | Calendars.ReadWrite | Allows the app to create, read, update, and delete events of all calendars without a signed-in user. | |
| Microsoft Graph | ChannelMember.ReadWrite.All | Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner. | |
| Microsoft Graph | ChannelSettings.ReadWrite.All | Read and write the names, descriptions, and settings of all channels, without a signed-in user. | |
| Microsoft Graph | Directory.ReadWrite.All | Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. | |
| Microsoft Graph | Group.ReadWrite.All |
Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. | |
| Microsoft Graph | Sites.ReadWrite.All | Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. | |
| Microsoft Graph | Tasks.ReadWrite.All |
Allows the app to create, read, update and delete all users’ tasks and task lists in your organization, without a signed-in user | |
| Microsoft Graph | TeamMember.ReadWrite.All | Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner. | |
| Microsoft Graph | TeamsAppInstallation.ReadWriteForTeam.All | Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. | |
| Microsoft Graph | TeamsAppInstallation.ReadWriteForUser.All |
Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. | |
| Microsoft Graph | TeamSettings.ReadWrite.All | Read and change all teams' settings, without a signed-in user. | |
| Microsoft Graph | TeamworkTag.ReadWrite.All | Allows the app to read and write tags in Teams without a signed-in user. |
skybow Planner Connector
| API name | Permission | Used in actions | |
| Microsoft Graph | Directory.ReadWrite.All |
Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. |
- Clone plan - Create bucket - Create plan - Create task - Delete task - Update task |
| Microsoft Graph | Group.ReadWrite.All | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. | |
| Microsoft Graph | Tasks.ReadWrite.All | Allows the app to create, read, update and delete all users’ tasks and task lists in your organization, without a signed-in user | |
| Microsoft Graph | User.Read.All | Allows the app to read user profiles without a signed in user. |
skybow Users connector
| API name | Permission | Used in actions | |
| Microsoft Graph | Users.Invite.All | Allows the app to invite guest users to the organization, without a signed-in user. |
- Get user profile - Invite guest user
|
| Microsoft Graph | User.Read.All |
Allows the app to read user profiles without a signed in user. | |
| SharePoint | User.Read.All | Allows the app to read user profiles without a signed in user. |
Microsoft API access - Azure AD-secured APIs from SharePoint Framework components and scripts
API access delegated permissions can be used in client-side features like Modern Forms, List Actions, Automation actions or function placeholders.
Delegated means, that it will be executed under the logged in user, considering the permissions on the requested resource. E.g. a user is only allowed to send emails using his own mailbox or mailboxes where he/she has “send as”-permissions on Exchange. It will not be possible to send emails as any user.
API access requests can be approved in the SharePoint Admin Center- > Advanced -> API Access or directly via this link:
https://[yourtenant]-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement
All API access request needed by skybow Solution Studio are available to approve, once the first solution has been added on a tenant.
Each access request can be approved separately, but they are optional and you don’t have to. They are not required for Solution Studio to run in general.
The following table describes which access rights are used for certain functionalities:
| API Name | Permission | Used in | |
| Microsoft Graph | Directory.Read.All | Allows the app/solution to read data in your organization's directory, such as users, groups, and apps. |
Function placeholders: [[@User.IsMemberOfAADGroup('Type existing Azure AD group name')]] [[@User.IsMemberOfGroup('Type existing SharePoint group name', true)]] 'Channel' resource type in 'Microsoft Teams' data source in Data lookup control |
| Microsoft Graph | ExternalConnection.Read.All | Allows the app to read all external connections on behalf of a signed-in user. The signed-in user must be an administrator. |
'Microsoft Graph Connector' data source in Data lookup control |
| Microsoft Graph | ExternalItem.Read.All | Allow the app to read external datasets and content, on behalf of the signed-in user. |
'Microsoft Graph Connector' data source in Data lookup control |
| Microsoft Graph | Mail.Send | Allows the app/solution to send mail as users in the organization. | |
| Microsoft Graph | Mail.ReadWrite | Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail. |
Allows sending attachments with total size more than 3 MB in the Send email action |
| Microsoft Graph | Team.ReadBasic.All | Read the names and descriptions of teams, on behalf of the signed-in user. |
'Microsoft Teams' data source in Data lookup control |
| Microsoft Graph | TermStore.ReadWrite.All | Allows the app to read or modify data that the signed-in user has access to. This includes all sets, groups and terms in the term store. |
Managed metadata taxonomy picker (allows adding new terms) |
| Microsoft Flow Service | User | Access Microsoft Flow as signed in user |
Microsoft Flow Service authorization option in Start Power Automate / Azure Function action |
| Microsoft Graph | User.Invite.All | Allows the app to create an invitation for external users. The invitation is used to add external users to the organization. On invitation creation, the invited user is added as an external user to the Microsoft Entra ID. To access any resources the invited user has to go through the redemption process. | |
| Microsoft Graph | User.Read.All | Allows the app to read all users' full profiles |