Skip to content
Getting Started

AI Connection to Microsoft 365

Add the required Microsoft Graph permissions to the SSO enterprise application — M365 connector, Office add-ins, and Teams meeting bot.

Updated June 27, 20263 min read

Objective


1. Delegated permissions (Microsoft Graph)

Usage: SSO sign-in + MCP connector + Office add-ins.

App registrations > Manage > API permissions > + Add a permission > Microsoft Graph > Delegated permissions.

Identity / sign-in (SSO)

  • openid
  • profile
  • email
  • User.Read
  • User.ReadBasic.All

Mail (Outlook)

  • Mail.Read
  • Mail.ReadWrite.Shared
  • Mail.Send.Shared
  • MailboxSettings.Read

Calendar

  • Calendars.ReadWrite.Shared

Files / SharePoint

  • Files.Read
  • Files.Read.All
  • Sites.Read.All

Contacts / people

  • Contacts.ReadWrite.Shared
  • People.Read.All
  • Presence.Read

Tasks / notes

  • Tasks.ReadWrite
  • Tasks.ReadWrite.Shared
  • Notes.Read.All
  • Notes.ReadWrite

Teams (chats / channels / meetings)

  • Team.ReadBasic.All
  • Channel.ReadBasic.All
  • ChannelMessage.Send
  • Chat.Create
  • Chat.ReadWrite
  • ChatMessage.Send
  • OnlineMeetings.ReadWrite

Groups

  • GroupMember.Read.All

2. Application permissions (Microsoft Graph)

Usage: Teams meeting bot + automatic mailbox/site discovery. App-only, admin consent required.

+ Add a permission > Microsoft Graph > Application permissions.

Discovery (back end)

  • User.Read.All
  • MailboxSettings.Read
  • Reports.Read.All

Teams meeting bot (teamsbot)

  • Calls.AccessMedia.All
  • Calls.JoinGroupCall.Allsingular (JoinGroupCall), not JoinGroupCalls
  • Calls.JoinGroupCallAsGuest.All
  • Calls.Initiate.All
  • OnlineMeetings.Read.Allas an application permission (the bot runs without a signed-in user)
  • Chat.Read.All
  • Chat.Read.WhereInstalled
  • Chat.ReadWrite.All
  • Chat.ReadWrite.WhereInstalled
  • ChatMessage.Read.All
  • GroupMember.Read.All
  • Calendars.Read

To be declared in the Teams app manifest (authorization.permissions.resourceSpecific), not in Entra.

  • Calls.AccessMedia.Chat
  • Calls.JoinGroupCalls.Chatplural (JoinGroupCalls) for RSC

4. Office add-ins

Two settings on the registration, required for Nested App Authentication (NAA) of the Office add-ins.

4.1 Authentication — Single-page application (SPA)

Authentication tab > + Add a platform > Single-page application. Redirect URI in the format brk-multihub://<domain> (origin only, no sub-path):

4.2 Expose an API

Expose an API tab:

  • Exposed scope: access_as_user (api://<clientId>/access_as_user)
  • Who can consent: Admins and users

5. Additional Teams bot configuration (beyond permissions)

Already in place if the current teamsbot works — reuse as is.

  1. Azure Bot Service: bot registration linked to the App ID, Teams channel, Calling enabled, notification webhook.

  2. Compliance recording — this is what makes the bot automatically join all meetings/calls (all / all-except modes):

    New-CsOnlineApplicationInstance -UserPrincipalName <upn> -DisplayName <name> -ApplicationId <App ID>
    New-CsTeamsComplianceRecordingPolicy -Enabled $true -Identity <policy>
    Set-CsTeamsComplianceRecordingPolicy -Identity <policy> -ComplianceRecordingApplications @(New-CsTeamsComplianceRecordingApplication -Parent <policy> -Id <App ID>)
    Grant-CsTeamsComplianceRecordingPolicy -Identity <user> -PolicyName <policy>
    

App registrations > API permissions > Grant admin consent for your tenant.


Sources for the bot permissions: Microsoft Learn — "Register Calls & Meetings Bot" and the official PolicyRecordingBot sample (microsoft-graph-comms-samples). Delegated permissions: the AI platform's M365 connector.

Need a hand?

Our team can walk through these steps with you in a meeting with screen sharing.

Contact Hilo Tech

Back to the collection : Getting Started