This document will show you which Microsoft Permissions are needed for TeamMate EPP and Connector to work.
Requirements:
- Microsoft Global Admin access for the Enterprise.
Things to keep in mind:
- TeamMate performs certain limited tasks with the Microsoft Global Administrators' consent. These allow for automated provisioning via PowerShell of Direct Routing, User Calling activation, and Teams Application setup in Microsoft.
- TeamMate only requires the Microsoft Global Admin grant the Permissions that are listed below. With these consents, delegated authorities can be granted to the Role of Teams Service Admin and Skype for Business Admin.
- TeamMate does NOT store tokens or the permissions granted beyond the session. Here is a direct link to the Microsoft Permissions Page.
Permission flow is as follows:
- During Enterprise signup Global Admin credentials are required for the first sign in to the EPP (Registration).
- The EPP will ask for the following permissions that require Microsoft Global Admin consent before they can be used by non-Global Admin Users:
| Permissions | Purpose | Global Admin Required |
|---|---|---|
| Access directory as the signed-in user | Allows the app to have the same access to information in the directory as the signed-in user. | Yes |
| Read and write directory data | Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. | Yes |
| Read organization information | Allows the app to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. | Yes |
| Read and write all users' full profiles | Allows the app to read and write the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. | Yes |
| Full access to the Skype Remote Powershell | Allow the application full access to the Skype Remote Powershell Azure services to provision Direct Routing and Teams Users on behalf of the signed-in user. | No |
In the TeamMate Enterprise Provisioning Portal, there are certain tasks that can be performed by the Global Admin only and certain that can be performed by the Teams Service Admin/Skype for Business Admin. The table below demonstrates which credentials have what authority:
| Permissions | Microsoft Global Admin | Microsoft Teams Service Admin & Skype Admin (both) |
|---|---|---|
| Initial Enterprise Reg. | YES | NO |
| Setup Direct Routing | YES | NO |
| Setup/Manage PBX | YES | YES |
| Setup/Manage TM Users | YES | YES |
| Add/Delete Teams App | YES | NO |
| Setup/Manage End User Portal | YES | YES |
| Setup/Manage Feature Codes | YES | YES |
Note: Microsoft Global Admin must consent to the permissions listed at the top of this article to allow TeamMate to execute PowerShell commands on the organization’s behalf. In case Global Admin does not consent on the organization’s behalf, subsequent logins will fail per non-Global Admin Users. Subsequent logins by Teams Service Admin/Skype for Business Admin User to EPP will not be asked to consent to further permissions.