Permissions used and required connecting AskCody with MS Graph and Entra ID

Learn about the permissions required connecting AskCody to Microsoft Graph, Microsoft Exchange, and Microsoft Entra ID

In this document, you will find information about which Microsoft Graph permissions we require for the AskCody app registration, why we need them, and in which applications we use them.

Permission	Admin consent required	Exact permission name	Microsoft description	Why do we need it?
Calendars.Read (D)	No	Read user calendars	Allows the app to read events in user calendars.	In order to show events in the signed in users calendar (And rooms accessible to the user), using the AskCody Mobile App.
Calendars.Read (A)	Yes	Read calendars in all mailboxes	Allows the app to read events of all calendars without a signed-in user.	In Workplace Central, to update/show events in all of the organization's mailbox calendars calendars, if a user chooses so. This permission is of Application type since the actions goes through a separate service.
Calendars.ReadWrite (A)	Yes	Read and write calendars in all mailboxes	Allows the app to create, read, update, and delete events of all calendars without a signed-in user.	In Workplace Central, to update/show events in all of the organization's mailbox calendars calendars, if a user chooses so. This permission is of Application type since the actions goes through a separate service.
Group.Read.All (D)	Yes	Read all groups	Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.	List groups in the Azure AD (Entra ID) Integration Portal, that the signed in user has access to in the organization's Entra ID.
Group.Read.All (A)	Yes	Read all groups	Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user.	For syncing groups and group members for the configured AADI-Sync, in the background, without needing a signed in user.
GroupMember.Read.All (A)	Yes	Read all group memberships	Allows the app to read memberships and basic group properties for all groups without a signed-in user.	For syncing users from Entra ID we need to periodically query Microsoft Graph for changes in group memberships to reflect them in AskCody. This is done with a delta token which requires this permission.
offline_access (D)	No	Maintain access to data you have given it access to	Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.	In order to have short-lived access tokens without having to collect credentials every time one expires.
openid (D)	No	Sign users in using the OpenID auth flow.	By using this permission, an app can receive a unique identifier for the user in the form of the sub claim. The permission also gives the app access to the UserInfo endpoint. The openid scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication.	Authenticate users across the platform (SSO + credentials login). Depends on `profile` scope described below.
profile (D)	No	View users' basic profile	Allows the app to see your users' basic profile (name, picture, user name). Also part of the OpenID Connect (OICD) permission set.	When using the `openid` scope, we include the `profile` scope in cases where we need claims for authentication. This enables us to get the ObjectID (external identifier) of the user logging in. For using SSO in the Management portal we also get the email.
User.Read (D)	No	Sign in and read user profile	Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.	Information about the logged in user and performing actions on behalf of that user. Much of the user information displayed across the platform is using this permission.
User.Read.All (D)	Yes	Read all users' full profiles	Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.	Information about the logged in user. It also allows the logged in user to see information that they already have access to, about all other users in the organization and which group/security groups they are members of. This is needed for the Azure AD (Entra ID) Integration Portal, to function.
User.Read.All (A)	Yes	Read all users' full profiles	Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user.	In order for the Azure AD (Entra ID) Integration Portal, to be able to Sync Users into AskCody, it needs to be allowed (without a signed in user), to be able to read full profiles of the users within the organization, so that when a user is added to a Sync group, it can be synced in from Entra ID.
User.ReadBasic.All (D)	No	Read all users' basic profiles	Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes only the users' display name, first and last name, email address, userPrincipalName, open extensions and photo. OBS: Also allows the app to read the full profile of the signed-in user.	In order for the Azure AD (Entra ID) Integration, to be able to sync users into AskCody, it needs to be allowed (without a signed in user), to be able to read the basic user profile properties within the organization, so that when a user is added to a group within the scope of the sync, it can be synced in from Entra ID.

(A) - Application type permission. I.e. "on behalf of the application."
(D) - Delegate type permission. I.e. "on behalf of the logged-in user."