Teammate - Microsoft Teams Direct Routing
      Back to home
      1. Luminate Knowledge Base
      2. ADD ONS
      3. Teammate - Microsoft Teams Direct Routing

      Microsoft Permissioned Required for Teammate

      This article goes over the permissions that are required to setup the teammate connector.

      Teammate performs certain limited tasks with the Microsoft Global Administrators' consent. These allow for automated provisioning via PowerShell of Direct Routing, User Calling activation and Teams Application setup in Microsoft.

      The initial request when the Microsoft Enterprise Global Administrator is asked for permission looks like this:

      Teammate requires the Microsoft Global Admin to grant the Permissions that are shown above and explained below.  With the Consent selected delegated authorization can be granted to other Microsoft users in the tenant.  Specifically, to users that have the role of Teams Service Admin and Skype for Business Admin.

      Permission flow is as follows:

      • During Enterprise signup Global Admin credentials are required for the first sign in to the EPP (Registration - pictured above).
      • The EPP will ask for the following permissions that require Microsoft Global Admin consent before they can be used by non-Global Admin Users:

      Permissions

      Purpose
      Access Microsoft Teams and Skype for Business data as the signed in user Allows the app to have the same access to information in the directory as the signed-in user.
      Read and write directory data Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.
      Access the directory as you Allows the app to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information.
      Manage your installed Teams apps Allow the app to install and delete the Teams Application (Azure Enterprise Application) you build to extend the PBX into Teams.
      Read organization information Allows the app to read the organization and related resources, on behalf of the signed-in user. related resources include things like subscribed SKUs and tenant branding information
      Read and write all users' full profiles Allows the app to read and write the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information.
      Maintain access to data you have given it access to Allows the permission to access data to persist beyond the current login session.
      Full access to the Skype Remote Powershell Allow the application full access to the Skype Remote Powershell Azure services to provision Direct Routing and Teams Users on behalf of the signed-in user.

       

      After this initial set of permissions is granted the Microsoft Global Admin will be prompted to log in again.  A second set of application Permissions will appear:

      Read all users' full profiles Allows the app to read user profiles without a signed in user.
      Sign in and read user profile Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

       

      Additional Permissions

      1. Contact Service

      This is optional. This will sync Outlook and Microsoft Organization contacts with mobile numbers to a Teams user with SMS integration.

      2. Presence Sync Permissions

      If the enterprise plans on using the presence sync option they will also need to grant the optional permission described here.

      In the ConnecttoTeams portal, certain tasks can be performed by the Microsoft Global Admin only and certain that can be performed by the delegated Teams Service Admin/Skype for Business Admin. The table below demonstrates which credentials have what authority:

        Microsoft Global Admin Microsoft Teams Service Admin & Skype Admin (both)
      Initial Enterprise Reg. YES NO
      Setup Direct Routing YES NO
      Setup/Manage PBX YES YES
      Setup/Manage TM Users YES YES
      Add/Delete Teams App YES NO
      Setup/Manage End User Portal YES YES
      Setup/Manage Feature Codes YES YES
      • Microsoft Global Admin must consent to the permissions listed at the top of this article to allow Teammate to execute PowerShell commands on the organization’s behalf.

      In case Global Admin does not consent on the organization’s behalf, subsequent logins will fail for non-Global Admin Users.

      Once Microsoft Global Admin has granted consent logins by Teams Service Admin/Skype for Business Admin User to EPP will not be required to consent to further permissions.

      3. Consent to Allow Management by Service Provider

      The Enterprise Admin can grant consent for the Reseller to perform Enterprise Provisioning actions.

      Teammate requires the Microsoft Global Admin to grant the Permissions shown and explained below.

      Permissions

      Purpose

      Allow the Teams app to manage only its own tabs for all users

      Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any user, without a signed-in user.

      Allow the Teams app to manage only its own tabs for all teams

      Allows a Teams app to read, install, upgrade, and uninstall its own tabs in any team, without a signed-in user.

      Read and write to all app catalogs

      Allows the app to create, read, update, and delete apps in the app catalogs without a signed-in user.

      Send a teamwork activity to any user

      Allows the app to create new notifications in users' teamwork activity feeds without a signed in user. These notifications may not be discoverable or be held or governed by compliance policies.

      Read and write organization information

      Allows the app to read and write the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information.

      Read and write all users' full profiles

      Allows the app to read and update user profiles without a signed in user.

      Read and write domains

      Allows the app to read and write all domain properties without a signed in user.  Also allows the app to add,  verify and remove domains.

      Read all users' teamwork activity feed

      Allows the app to read all users' teamwork activity feed, without a signed-in user.

      Deliver and manage all user's notifications

      Allows the app to send, read, update and delete user’s notifications, without a signed-in user.

      Create channels

      Create channels in any team, without a signed-in user.

      Delete channels

      Delete channels in any team, without a signed-in user.

      Read and write the names, descriptions, and settings of all channels

      Read and write the names, descriptions, and settings of all channels, without a signed-in user.

      Get a list of all teams

      Get a list of all teams, without a signed-in user.

      Read and change all teams' settings

      Read and change all teams' settings, without a signed-in user.

      Add and remove members from all channels

      Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner.

      Manage Teams apps for all teams

      Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings.

      Manage Teams apps for all users

      Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings.

      Allow the Teams app to manage itself for all teams

      Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user.

      Allow the app to manage itself for all users

      Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user.

      Create teams

      Allows the app to create teams without a signed-in user. 

      Add and remove members with non-owner role for all teams

      Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role.

      Sign in and read user profile

      Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

      In the second step, Enterprise Admin needs to grant consent to the Teammate RBAC Management App.  The permissions consented below are only used by the logged-in Enterprise Admin to set up the grants for the Enterprise Management which are requested in the first step. 

      4. Debug Call Consent

      Additional permission will be requested from the Enterprise Admin for the Teammate CDR Application on the enterprise dashboard, as well as when the Partner/Master Reseller/Reseller clicks "Debug Call" from the dashboard.