What features require which permission in Teams?
When setting up the Teams integration, you will have two options. TeamsBot Only, or All Features.
These each require a different set of permissions, which enables a different set of features.
Below we have mapped out the permissions type, to the feature this enables in the Teams integration.
If you'd like to see how to enable the Teams integration, please click here to view our guide.
Please note -
- The admin authorising Teams requires a valid Microsoft Teams license to be assigned to them. If they do not have one, the bot will not function correctly
Teams Lite (TeamsBot only)
The Bot only setting allows you to send notifications to your employees via Teams, this will not enable any message scanning or PII detection features.
| Feature | Bot Scope(s) | User Scope(s) | Permission Description | Requirement |
| Teams message delivery | AppCatalog.ReadWrite.All |
Allows the app to create, read, update, and delete apps in the app catalogues without a signed-in user. | To add Security Bot application to the app catalogue | |
| Sending messages to channels and directly to users | User.Read.All |
Allows the app to read user profiles without a signed in user. | Read the user profile | |
TeamsAppInstallation.ReadWriteForUser.All |
Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. | To assign the Security Bot application to a user | ||
TeamsAppInstallation.ReadWriteForTeam.All |
Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. | To assign the Security Bot application to a team | ||
TeamsAppInstallation.ReadWriteForChat.All |
Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Does not give the ability to read application-specific settings. | To allow Security Bot to send messages in a channel | ||
Chat.Create |
Allows the app to create chats without a signed-in user. | To allow Security Bot to send messages in a direct message | ||
AppCatalog.ReadWrite.All |
Allows the app to create, read, update, and delete apps in the app catalogues. | Delegated admin granted user permission to add Security Bot application | ||
offline_access |
Maintain access to data you have given it access to | Allow use of refresh tokens | ||
|
|
User.Read |
Sign in and read user profile | Delegated admin granted user permission to read the user profile |
Enable all Permissions
Full permissions allow you to send messages to employees via Teams, as well as monitor channels for PII and sensitive data being posted.
| Feature | Bot Scope(s) | User Scope(s) | Permission Description | Requirement |
| Teams message delivery | AppCatalog.ReadWrite.All |
Allows the app to create, read, update, and delete apps in the app catalogs without a signed-in user. | To add Security Bot application to the app catalog | |
| Sending messages to channels and directly to users | User.Read.All |
Allows the app to read user profiles without a signed in user. | Read the user profile | |
TeamsAppInstallation.ReadWriteForUser.All |
Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. | To assign the Security Bot application to a user | ||
TeamsAppInstallation.ReadWriteForTeam.All |
Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. | To assign the Security Bot application to a team | ||
TeamsAppInstallation.ReadWriteForChat.All |
Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Does not give the ability to read application-specific settings. | To allow Security Bot to send messages in a channel | ||
Chat.Create |
Allows the app to create chats without a signed-in user. | To allow Security Bot to send messages in a direct message | ||
AppCatalog.ReadWrite.All |
Allows the app to create, read, update, and delete apps in the app catalogs. | Delegated admin granted user permission to add Security Bot application | ||
offline_access |
Maintain access to data you have given it access to | Allow use of refresh tokens | ||
User.Read |
Sign in and read user profile | Delegated admin granted user permission to read the user profile | ||
| Teams message scanning | Chat.UpdatePolicyViolation.All |
Flag chat messages for violating policy | Allow Microsoft to flag chat messages that violate policy (DLP or similar) for CAI events to be raised | |
| Monitoring Teams channels for PII and secure words | ChannelMessage.UpdatePolicyViolation.All |
Flag channel messages for violating policy | Allow Microsoft to flag chat messages that violate policy (DLP or similar) for CAI events to be raised | |
ChannelSettings.Read.All |
Read the names, descriptions, and settings of all channels | Read channel settings in order to determine the scope of user access | ||
Chat.ReadBasic.All |
Read names and members of all chat threads | Read basic chat data to surface detections in CAI platform. | ||
Channel.ReadBasic.All |
Read the names and descriptions of all channels | Read basic channel data to surface detections in CAI platform. | ||
Directory.Read.All |
Read directory data | Determine which users are inside the organisation | ||
ChatMember.Read.All |
Read the members of all chats | Determine the members of any given chat | ||
ChannelMember.Read.All |
Read the members of all channels | Determine if public channel requirements are met | ||
Chat.Read.All |
Read all chat messages | Analysis of content in all chat messages order for risks to be surfaced in the platform | ||
ChannelMessage.Read.All |
Read all channel messages | Analysis of content in all channel messages order for risks to be surfaced in the platform | ||
ChatMessage.Read.All |
Read all chat messages | Analysis of content in all chat messages order for risks to be surfaced in the platform |