Skip to main content

Microsoft Entra ID permissions overview

On this page you will find overview of all MS Entra ID permissions you may need when setting up various Alvao components.

FeatureAPIPermissions

ALVAO for Outlook

Microsoft APIs / Microsoft Graph

Delegated:

  • User.Read
  • Mail.Read
  • Mail.Read.Shared

Attachments from Microsoft SharePoint and OneDrive

Microsoft APIs / Microsoft Graph

Delegated:

  • User.Read
  • Files.Read.All
  • MyFiles.ReadWrite.All
  • Sites.Read.All
  • Sites.ReadWrite.All
Microsoft APIs / SharePoint

Delegated:

  • AllSites.Read
  • AllSites.Write
  • MyFiles.Read
  • MyFiles.Write

Import license assignments from Microsoft 365

Microsoft APIs / Microsoft Graph

Application:

  • Organization.Read.All
  • User.Read.All

Knowledge from Microsoft SharePoint

Microsoft APIs / Microsoft Graph

Delegated:

  • Files.Read.All
  • Sites.Read.All
  • User.Read
  • AllSites.Read
  • MyFiles.Read

Loading messages (Oauth 2.0)

APIs my organization uses / Office 365 Exchange Online

Application:

  • full_access_as_appl

Microsoft Entra ID user authentication

APIs my organization uses / ALVAO

Application:

  • Internal.Access

Delegated:

  • user_impersonation
Microsoft APIs / Microsoft Graph

Delegated:

  • User.Read

Microsoft Intune Connector

Microsoft APIs / Microsoft Graph

Application:

  • Device.Read.All
  • DeviceManagementApps.Read.All
  • DeviceManagementManagedDevices.Read.All
  • DeviceManagementConfiguration.Read.All
  • User.Read.All

Delegated:

  • User.Read

Microsoft To-Do

Microsoft APIs / Microsoft Graph

Delegated:

  • Tasks.ReadWrite

MS Teams add-in notifications

Microsoft APIs / Microsoft Graph

Application:

  • AppCatalog.ReadAll
  • TeamsAppInstallation.ReadForUser.All

Sending messages (Oauth 2.0)

APIs my organization uses / Office 365 Exchange Online

Application:

  • SMTP.SendAsApp

User portraits from Microsoft Entra ID

Microsoft APIs / Microsoft Graph

Application:

  • User.Read.All

User presence

Microsoft APIs / Microsoft Graph

Application:

  • Presence.Read.All
note

To grant the Internal.Access permission follow these steps:

  1. Go to Microsoft Azure - Microsoft Entra ID - App registrations - select the Alvao application - App roles - Create app role and use these parameters:

    • Display name: Internal Access
    • Allowed member types: Applications
    • Value: Internal.Access
    • Description: e.g., Alvao role
    • Do you want to enable this app role: On

  2. In the Alvao application, choose API permissions - Add a permission - APIs my organization uses tab - find the Alvao app - Delegated permissions, and select Internal.Access.