Table of contents
- Microsoft Graph application permissions – skybow M365 Connectors
- Microsoft Graph delegated permissions - Azure AD-secured APIs from SharePoint Framework components and scripts
Additional permissions may be required for specific functions or action types to get them to work. Which ones they are and where they are used is described further in the article.
Microsoft Graph application permissions - skybow M365 Connectors
Microsoft Graph Application Permissions are used for the execution of some Scheduled and Triggered actions in the background. When adding an M365 action for the first time, there is a link to approve it:
The skybow M365 Connectors need to be approved per tenant and per solution by a global administrator. For more security it is also required to approve the sites where the configured actions can be used:
There are 7 different connectors for now to split the requested permissions for certain MS Graph APIs. Each connector has to be trusted with all it’s permission levels and cannot be granted more granular.
skybow Exchange Connector
| API / Permission level | Used in actions | |
| Mail.Send | Allows the app to send emails from a mailbox specifiec by the administrator | - Send email |
After approving this app, it requires a global admin to provide an email sender that will be used for sending emails in the background actions. (Scheduled and triggered actions)
skybow Compliance Connector
| API / Permission level | Used in actions | |
| RecordsManagement.ReadWrite.All | Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user. | - Apply retention label - Create retention label |
skybow Groups Connector
| API / Permission level | Used in actions | |
| Contacts.ReadWrite | Allows the app to create, read, update, and delete user contacts. | - Add group to lifecycle policy
- Create group - Delete group - Get group activity - Set group lifecycle policy - Update group |
| Directory.ReadWrite.All | Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. | |
| Group.Create | Allows the app to create groups without a signed-in user. | |
| Group.ReadWrite.All | Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. | |
| GroupMember.ReadWrite.All | Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted. | |
| Reports.Read.All |
Allows an app to read all service usage reports on behalf of the signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. | |
|
User.Read.All |
Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signedin user. | |
skybow Teams Connector
| API / Permission level | Used in actions | |
| AppCatalog.Read.All | Allows the app to read the apps in the app catalogs. |
- Add members to tag - Add members to team - Clone channel - Clone team - Create channel - Create invite - Create meeting - Create tab - Create tag - Create team - Create team from existing group - Delete meeting - Get channel - Get meetings - Get team - Remove members from channel - Remove members from tag - Remove members from team - Send message - Update channel - Update meeting - Update tab - Update tag - Update team |
| Calendars.ReadWrite | Allows the app to create, read, update, and delete events in user calendars. | |
| Channel.Create | Create channels in any team, on behalf of the signed-in user. | |
| ChannelMember.ReadWrite.All | Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. | |
| ChannelSettings.ReadWrite.All | Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user. | |
| Directory.Read.All | Allows the app to read data in your organization's directory, such as users, groups and apps. | |
| Group.ReadWrite.All |
Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. | |
| Notes.Read.All | Allows the app to read OneNote notebooks that the signed-in user has access to in the organization. | |
| Notes.ReadWrite.All | Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization. | |
| OnlineMeetings.ReadWrite.All | Allows the app to read and create online meetings as an application in your organization. | |
| Sites.Read.All | Allows the application to read documents and list items in all site collections on behalf of the signed-in user | |
| Sites.ReadWrite.All | Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user. | |
| Tasks.ReadWrite.All |
Allows the app to create, read, update and delete all users’ tasks and task lists in your organization, without a signed-in user | |
| Team.Create | Allows the app to create teams on behalf of the signed-in user. | |
| TeamMember.ReadWrite.All | Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. | |
| TeamsAppInstallation.ReadForTeam.All | Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read applicationspecific settings. | |
| TeamsAppInstallation.ReadForUser.All | Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read applicationspecific settings. | |
| TeamsAppInstallation.ReadWriteForUser.All |
Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. | |
| TeamSettings.ReadWrite.All | Read and change all teams' settings, on behalf of the signed-in user. | |
| TeamsTab.ReadWrite.All | Read and write tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs. | |
| Teamwork.Migrate.All | Allows the app to create chat and channel messages, without a signed in user. The app specifies which user appears as the sender, and can backdate the message to appear as if it was sent long ago. The messages can be sent to any chat or channel in the organization. | |
| TeamworkTag.ReadWrite.All | Allows the app to read and write tags in Teams without a signed-in user. | |
| User.Invite.All | Allows the app to invite guest users to the organization, on behalf of the signed-in user. | |
| User.Read.All | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. | |
skybow OneNote Connector
| API / Permission level | Used in actions | |
| Group.Read.All | Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. | - Clone note |
| Notes.ReadWrite.All |
Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization. | |
skybow Planner Connector
| API / Permission level | Used in actions | |
| Directory.ReadWrite.All |
Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. |
- Clone plan - Create bucket - Create plan - Create task - Delete task - Update task |
| Group.ReadWrite.All | Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. | |
| Tasks.ReadWrite.All | Allows the app to create, read, update and delete all users’ tasks and task lists in your organization, without a signed-in user | |
| User.Read.All | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. | |
skybow Users connector
| API / Permission level | Used in actions | |
| Users.Invite.All | Allows the app to invite guest users to the organization/tenant |
- Get user profile - Invite guest user |
| User.Read.All |
Allows the app to read all users' full profiles | |
Microsoft Graph delegated permissions - Azure AD-secured APIs from SharePoint Framework components and scripts
Microsoft Graph delegated permissions can be used in client-side features like Modern Forms, List Actions, Automation actions or function placeholders.
Delegated means, that it will be executed under the logged in user, considering the permissions on the requested resource. E.g. a user is only allowed to send emails using his own mailbox or mailboxes where he/she has “send as”-permissions on Exchange. It will not be possible to send emails as any user.
API access requests can be approved in the SharePoint Admin Center- > Advanced -> API Access or directly via this link:
https://[yourtenant]-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement
All API access request needed by skybow Solution Studio are available to approve, once the first solution has been added on a tenant.
Each access request can be approved separately, but they are optional and you don’t have to. They are not required for Solution Studio to run in general.
The following table describes which access rights are used for certain functionalities:
| Microsoft Graph | Used in | |
| Directory.Read.All | Allows the app/solution to read data in your organization's directory, such as users, groups, and apps. |
Function placeholder [[@User.IsMemberOfAADGroup('Type existing Azure AD group name')]] |
| Mail.Send | Allows the app/solution to send mail as users in the organization. | |
| Mail.ReadWrite | Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail. |
Allows sending attachments with total size more than 3 MB in the Send email action |
| Team.ReadBasic.All | Read the names and descriptions of teams, on behalf of the signed-in user. |
‘Teams’ data source in Data lookup control |
| TermStore.ReadWrite.All | Allows the app to read or modify data that the signed-in user has access to. This includes all sets, groups and terms in the term store. |
Managed metadata taxonomy picker (allows adding new terms) |
| User.Invite.All | Allows the app to create an invitation for external users. The invitation is used to add external users to the organization. On invitation creation, the invited user is added as an external user to the Microsoft Entra ID. To access any resources the invited user has to go through the redemption process. | |