Permissions used and required connecting AskCody with MS Graph and Entra ID

Learn about the permissions required connecting AskCody to Microsoft Graph, Microsoft Exchange, and Microsoft Entra ID

In this document, you will find information about which Microsoft Graph permissions we require for the AskCody app registration, why we need them, and in which applications we use them.

Permission	Admin consent required	Exact permission name	Microsoft description	Why do we need it?
Calendars.Read (D)	No	Read user calendars	Allows the app to read events in user calendars.	In order to show events in the signed in users calendar (And rooms accessible to the user), using the AskCody Mobile App.
Calendars.Read (A)	Yes	Read calendars in all mailboxes	Allows the app to read events of all calendars without a signed-in user.	In Workplace Central, to update/show events in all of the organization's mailbox calendars calendars, if a user chooses so. This permission is of Application type since the actions goes through a separate service.
Calendars.ReadWrite (A)	Yes	Read and write calendars in all mailboxes	Allows the app to create, read, update, and delete events of all calendars without a signed-in user.	In Workplace Central, to update/show events in all of the organization's mailbox calendars calendars, if a user chooses so. This permission is of Application type since the actions goes through a separate service.
GroupMember.Read.All (A)	Yes	Read all groups and group memberships	Allows the app to read memberships and basic group properties for all groups without a signed-in user.	Required to list groups in the Azure AD (Entra ID) Integration Portal that the signed-in user has access to within the organization’s Entra ID and to sync groups and group members for the configured AADI-Sync in the background without needing a signed-in user. Additionally, to ensure accurate user synchronization from Entra ID, AskCody periodically queries Microsoft Graph for changes in group memberships using a delta token, which relies on this permission to reflect updates in AskCody.
offline_access (D)	No	Maintain access to data you have given it access to	Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.	In order to have short-lived access tokens without having to collect credentials every time one expires.
openid (D)	No	Sign users in using the OpenID auth flow.	By using this permission, an app can receive a unique identifier for the user in the form of the sub claim. The permission also gives the app access to the UserInfo endpoint. The openid scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication.	Authenticate users across the platform (SSO + credentials login). Depends on `profile` scope described below.
profile (D)	No	View users' basic profile	Allows the app to see your users' basic profile (name, picture, user name). Also part of the OpenID Connect (OICD) permission set.	When using the `openid` scope, we include the `profile` scope in cases where we need claims for authentication. This enables us to get the ObjectID (external identifier) of the user logging in. For using SSO in the Management portal we also get the email.
User.Read (D)	No	Sign in and read user profile	Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.	Information about the logged in user and performing actions on behalf of that user. Much of the user information displayed across the platform is using this permission.
User.Read.All (D)	Yes	Read all users' full profiles	Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.	Information about the logged in user. It also allows the logged in user to see information that they already have access to, about all other users in the organization and which group/security groups they are members of. This is needed for the Azure AD (Entra ID) Integration Portal, to function.
User.Read.All (A)	Yes	Read all users' full profiles	Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user.	In order for the Azure AD (Entra ID) Integration Portal, to be able to Sync Users into AskCody, it needs to be allowed (without a signed in user), to be able to read full profiles of the users within the organization, so that when a user is added to a Sync group, it can be synced in from Entra ID.
User.ReadBasic.All (D)	No	Read all users' basic profiles	Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes only the users' display name, first and last name, email address, userPrincipalName, open extensions and photo. OBS: Also allows the app to read the full profile of the signed-in user.	In order for the Azure AD (Entra ID) Integration, to be able to sync users into AskCody, it needs to be allowed (without a signed in user), to be able to read the basic user profile properties within the organization, so that when a user is added to a group within the scope of the sync, it can be synced in from Entra ID.

(A) - Application type permission. I.e. "on behalf of the application."
(D) - Delegate type permission. I.e. "on behalf of the logged-in user."

Note: To update your Enterprise Application's permission to the latest permission set, please follow the steps on this guide to regrant permissions in Azure: https://help.askcody.com/updating-permissions-enterprise-application