Objective
1. Delegated permissions (Microsoft Graph)
Usage: SSO sign-in + MCP connector + Office add-ins.
App registrations > Manage > API permissions > + Add a permission > Microsoft Graph > Delegated permissions.
Identity / sign-in (SSO)
openidprofileemailUser.ReadUser.ReadBasic.All
Mail (Outlook)
Mail.ReadMail.ReadWrite.SharedMail.Send.SharedMailboxSettings.Read
Calendar
Calendars.ReadWrite.Shared
Files / SharePoint
Files.ReadFiles.Read.AllSites.Read.All
Contacts / people
Contacts.ReadWrite.SharedPeople.Read.AllPresence.Read
Tasks / notes
Tasks.ReadWriteTasks.ReadWrite.SharedNotes.Read.AllNotes.ReadWrite
Teams (chats / channels / meetings)
Team.ReadBasic.AllChannel.ReadBasic.AllChannelMessage.SendChat.CreateChat.ReadWriteChatMessage.SendOnlineMeetings.ReadWrite
Groups
GroupMember.Read.All
2. Application permissions (Microsoft Graph)
Usage: Teams meeting bot + automatic mailbox/site discovery. App-only, admin consent required.
+ Add a permission > Microsoft Graph > Application permissions.
Discovery (back end)
User.Read.AllMailboxSettings.ReadReports.Read.All
Teams meeting bot (teamsbot)
Calls.AccessMedia.AllCalls.JoinGroupCall.All← singular (JoinGroupCall), notJoinGroupCallsCalls.JoinGroupCallAsGuest.AllCalls.Initiate.AllOnlineMeetings.Read.All← as an application permission (the bot runs without a signed-in user)Chat.Read.AllChat.Read.WhereInstalledChat.ReadWrite.AllChat.ReadWrite.WhereInstalledChatMessage.Read.AllGroupMember.Read.AllCalendars.Read
3. Resource-specific consent (RSC)
To be declared in the Teams app manifest (authorization.permissions.resourceSpecific), not in Entra.
Calls.AccessMedia.ChatCalls.JoinGroupCalls.Chat← plural (JoinGroupCalls) for RSC
4. Office add-ins
Two settings on the registration, required for Nested App Authentication (NAA) of the Office add-ins.
4.1 Authentication — Single-page application (SPA)
Authentication tab > + Add a platform > Single-page application. Redirect URI in the format brk-multihub://<domain> (origin only, no sub-path):
4.2 Expose an API
Expose an API tab:
- Exposed scope:
access_as_user(api://<clientId>/access_as_user) - Who can consent: Admins and users
5. Additional Teams bot configuration (beyond permissions)
Already in place if the current teamsbot works — reuse as is.
-
Azure Bot Service: bot registration linked to the App ID, Teams channel, Calling enabled, notification webhook.
-
Compliance recording — this is what makes the bot automatically join all meetings/calls (
all/all-exceptmodes):New-CsOnlineApplicationInstance -UserPrincipalName <upn> -DisplayName <name> -ApplicationId <App ID> New-CsTeamsComplianceRecordingPolicy -Enabled $true -Identity <policy> Set-CsTeamsComplianceRecordingPolicy -Identity <policy> -ComplianceRecordingApplications @(New-CsTeamsComplianceRecordingApplication -Parent <policy> -Id <App ID>) Grant-CsTeamsComplianceRecordingPolicy -Identity <user> -PolicyName <policy>
6. Grant admin consent
App registrations > API permissions > Grant admin consent for your tenant.
Sources for the bot permissions: Microsoft Learn — "Register Calls & Meetings Bot" and the official PolicyRecordingBot sample (microsoft-graph-comms-samples). Delegated permissions: the AI platform's M365 connector.
Need a hand?
Our team can walk through these steps with you in a meeting with screen sharing.