# Microsoft Graph Permissions

# What is Microsoft Graph?

Microsoft Graph is a RESTful web API that enables applications to access digital work and digital life data across the Microsoft 365 cloud ecosystem. It acts as a unified endpoint (https://graph.microsoft.com), allowing for a streamlined way to access data across various Microsoft services, including Office 365, Windows 10, and Enterprise Mobility + Security.

Key Characteristics:

  • Unified API Endpoint: Microsoft Graph consolidates various Microsoft cloud services' APIs under a single RESTful API endpoint.
  • Rich Data Access: It provides access to a wealth of resources such as user profiles, emails, calendars, documents, directory, devices, and more.
  • Cross-Platform Nature: Designed to work across platforms and devices, enhancing interoperability.
  • Real-Time Updates: Offers capabilities like webhooks for real-time notifications on data changes.

# Integrating with Microsoft Graph

Integration with Microsoft Graph typically involves:

  • Authentication: Leveraging Azure Active Directory for OAuth 2.0 authentication to ensure secure access.
  • API Queries: Making HTTP requests to the Graph endpoint to retrieve or manipulate data.
  • Permissions: Managing application permissions and consent levels to comply with organizational and security policies.

# Security Implications

Understanding the security implications of Microsoft Graph is crucial:

  • Authentication and Authorization: Utilizes Azure AD for robust authentication and OAuth 2.0 for authorization, ensuring secure access patterns.
  • Data Access Control: Implement fine-grained control over data access with extensive permission scopes.
  • Compliance and Privacy: Adherence to global compliance standards and privacy laws, making it suitable for various industries.
  • Audit and Monitoring: Capabilities to monitor and audit activity, ensuring transparency and aiding in anomaly detection.

# Admin-restricted permissions

Depending on the permission type (Delegated or Application), some high-privilege permissions in the Microsoft ecosystem are set to admin-restricted.
Examples of these kinds of permissions include the following:

  • Read all user's full profiles by using User.Read.All
  • Write data to an organization's directory by using Directory.ReadWrite.All
  • Read all groups in an organization's directory by using Groups.Read.All

For Witivio soliutions to access data in Microsoft Graph, your administrator must grant it the correct permissions via a consent process.

Learn more:

# Required Permissions

For Witivio solutions to work properly and perform some administrative operations, it requires the following permissions.

# OpenId standard scopes

The OpenID scopes represents the basics required for any OAuth authentication:

Scope Description Justification Admin Consent Required
email View users' email address. Microsoft Teams SSO. No
offline_access Maintain access to data you have given it access to. Microsoft Teams SSO. No
openid Sign users in. Microsoft Teams SSO. No
profile View users' basic profile. Microsoft Teams SSO. No

# Microsoft Graph Scopes

The Microsoft Graph scopes are specific to the Microsoft platform:

Learn more with Microsoft Graph permissions reference... (opens new window)

Learn more about Authentication and authorization basics for Microsoft Graph... (opens new window)

# Calendar Pro

# Contact Pro

# Keepass Pro

# Map Pro

# Booking Room Pro

# Parking Pro

# Company Communicator Pro

# MetaOffice Pro

# Green Center

# GPT Pro