Skip to main content

Permissions for Google and Microsoft integrations

  • Updated

When configuring the digital signage apps on Airtame Cloud, which require Google or Microsoft authentication, you might be asked to grant permissions to a specific app. These app permissions are unique to each Airtame Cloud user and are not shared across the Airtame Cloud account, except the global calendar.

Read more about the global calendar here

Airtame Cloud apps require user permissions to function. We only need and use the read permissions. Here is an overview of which permissions are required for each Airtame Cloud app or integration and what this means:

Google Authentication

Room Overview & Room Calendar

  • calendar.readonly - Permission used to read the organization's calendars (meeting rooms). Used in the Cloud Frontend to display the meeting rooms in the select window. Same as below, as they have to work together.

  • admin.directory.resource.calendar.readonly - Permission used to read the organization's calendars (meeting rooms). Used in the Cloud Frontend to display the meeting rooms in the select window. The admin part is required to have access to the entire organization's calendars, not only authenticated users once.

  • email - A unique identifier based on which, these Airtame Cloud Apps know to get an access token based on this email to query for events.

Google Slides

  • drive.readonly - Gives the Airtame Cloud app access to the user's drive files to display the presentations.

Microsoft Authentication

Room Overview & Room Calendar

  • offline_access - This scope is used to be able to generate a refresh token (expires every 90 days, but based on which we can generate a 1-hour Access Token for the applications). Allows the Airtame Cloud app to read and update user data, even when they are not using it.

  • user.readbasic.all - Obtain the user’s email. It stores it in the database with the refresh token and sends it as app configuration and name to display the user's name on the Settings page. Allows the Airtame Cloud app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions, and photo. Also allows the Airtame Cloud app to read the full profile of the signed-in user.

  • calendars.read - Needed to query for meeting room's events. Allows the Airtame Cloud app to read events in user calendars.

  • place.read.all - Needed to query for the entire organization's meeting rooms (places in MS API). This one requires Admin consent. Allows the app to read company places (conference rooms and room lists) set up in Exchange Online for the tenant.

OneDrive Gallery & OneDrive Video

  • offline_access - This scope is used to be able to generate a refresh token (expires every 90 days, but based on which we can generate a 1-hour Access Token for the applications). Allows the Airtame Cloud app to read and update user data, even when they are not using it.

  • files.read - Allows the Airtame Cloud app to read the signed-in user's files.

  • files.read.all - Used for "share with me" type of files. Allows the app to read all files the signed-in user can access.

  • user.readbasic.all - Used to get the user's email. It stores it in the database with the refresh token and sends it as app configuration and name to display the user's name on the Settings page. Allows the Airtame Cloud app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions, and photo. Also allows the Airtame Cloud app to read the full profile of the signed-in user.

PowerBI

Microsoft Graph API: 

  • offline_access: This scope is used to be able to generate a refresh token (expires every 90 days, but based on which we can generate a 1-hour Access Token for the applications). Allows the Airtame Cloud app to read and update user data, even when they are not using it.

PowerBI Service:

  • Report.Read.All: Allows the Airtame Cloud app to read the signed-in user's reports. This scope is necessary because Dashboard tiles can be added from report visualizations. 
  • App.Read.All: Allows the Airtame Cloud app to read the signed-in user's PowerBI apps. This scope is necessary because Dashboard tiles can be based on data coming from PowerBI apps. 
  • Dashboard.Read.All: Allows the Airtame Cloud app to read the signed-in user's dashboards.
  • Dataset.Read.All: Allows the Airtame Cloud app to read the signed-in user's datasets. This scope is necessary because Dashboard tiles built on Reports need to access the data to be able to render the visualization. 
  • Workspace.Read.All: Allows the Airtame Cloud app to read the signed-in user's workspaces.

PowerPoint

  • offline_access - This scope is used to be able to generate a refresh token (expires every 90 days, but based on which we can generate a 1hr Access Token for the applications). Allows the Airtame Cloud app to read and update user data, even when they are not using it.

  • user.readbasic.all - Obtain the user’s email. It stores it in the database with the refresh token and sends it as app configuration and name to display the user's name on the Settings page. Allows the Airtame Cloud app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions, and photo. Also allows the Airtame Cloud app to read the full profile of the signed-in user.

  • files.read - Allows the Airtame Cloud app to read the signed-in user's files.

  • files.read.all - Used for "share with me" type of files. Allows the app to read all files the signed-in user can access.

  • sites.read.all - Allows the app to read documents and list items in all site collections on behalf of the signed-in user.

For Microsoft, we only use Delegated permissions.

Reference page for Microsoft permissions:

https://docs.microsoft.com/en-us/graph/permissions-reference

Admin consent

Some scopes require Admin consent. This means an Admin has to give consent to the entire organization and it can be done in two ways:

  • When the Airtame Cloud app is being configured for the first time, and when prompted with the Grant permissions UI, they can select with a checkbox if they want to give consent to the entire organization.

  • From the MS Console (Azure), search the Airtame Cloud App ⇒ Permissions ⇒ Grant Admin consent.

Until then, a regular user cannot authenticate to use the specific Airtame Cloud app

For organizations with strict security rules, regular users may not be able to configure the Airtame Cloud app until an Admin gives consent.

Licenses

Some Airtame Cloud applications require the usage of MS licenses.

  • OneDrive apps (Video, Powerpoint, Gallery) - they need a OneDrive license.

  • Calendar apps (Room Overview and Homescreen) - they need an Online Exchange license.

Related articles