Skip to main content

Permissions for Google and Microsoft integrations

  • Updated

When configuring the Airtame Cloud applications/integrations on Airtame Cloud Plus, which require Google or Microsoft authentication, you might be asked to grant permissions to a specific Airtame Cloud app or integration.

 

Airtame Cloud applications require user permissions in order to function. We only need and use the read permissions. Here is an overview of which permissions are required for each Airtame Cloud app or integration and what this means:

 

Homescreen & Room Overview with Google authentication

  • calendar.readonly - Permission used to read organization's calendars (meeting rooms). Used in the Cloud Frontend to display the meeting rooms in the select window. Same as below, as they have to work together.

  • admin.directory.resource.calendar.readonly - Permission used to read organization's calendars (meeting rooms). Used in the Cloud Frontend to display the meeting rooms in the select window. The admin part is required in order to have access to the entire organization's calendars, not only authenticated user's ones.

  • email - A unique identifier based on which, these Airtame Cloud Apps know to get an access token based on this email to query for events.

Google Slides

  • drive.readonly - Gives the Airtame Cloud app access to user's drive files to display the presentations.

Homescreen and Room Overview with Microsoft authentication

  • offline_access - This scope is used to be able to generate a refresh token.

  • user.readbasic.all - Obtain user’s email. Stores it in the database together with the refresh token and sends it as app configuration and name to display the user's name in the Settings page. Allows the Airtame Cloud app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the Airtame Cloud app to read the full profile of the signed-in user.

  • calendars.read - Needed to query for meeting room's events. Allows the Airtame Cloud app to read events in user calendars.

  • place.read.all - Needed to be able to query for the entire organization's meeting rooms (places in MS API). This one requires Admin consent. Allows the app to read company places (conference rooms and room lists) set up in Exchange Online for the tenant.

OneDrive Gallery and OneDrive Video with Microsoft authentication

  • offline_access - This scope is used to be able to generate a refresh token (expires every 90 days, but based on which we can generate a 1hr access Token for the applications). Allows the Airtame Cloud app to read and update user data, even when they are not currently using the app.

  • files.read - Allows the Airtame Cloud app to read the signed-in user's files.

  • files.read.all - Used for sharing with me type of files. Allows the app to read all files the signed-in user can access.

  • user.readbasic.all - Used to get the user's email. Stores it in the database together with the refresh token and sends it as app configuration and name to display the user's name in the Settings page. Allows the Airtame Cloud app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the Airtame Cloud app to read the full profile of the signed-in user.

PowerPoint with Microsoft authentication

  • offline_access - This scope is used to be able to generate a refresh token (expires every 90 days, but based on which we can generate a 1hr access Token for the applications). Allows the Airtame Cloud app to read and update user data, even when they are not currently using the app.

  • user.readbasic.all - Obtain user’s email. Stores it in the database together with the refresh token and sends it as app configuration and name to display the user's name in the Settings page. Allows the Airtame Cloud app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the Airtame Cloud app to read the full profile of the signed-in user.

  • files.read - Allows the Airtame Cloud app to read the signed-in user's files.

  • files.read.all - Used for shared with me type of files. Allows the app to read all files the signed-in user can access.

  • sites.read.all - Allows the app to read documents and list items in all site collections on behalf of the signed-in user.

For Microsoft, we only use Delegated permissions.

Reference page for Microsoft permissions:

https://docs.microsoft.com/en-us/graph/permissions-reference

 

Admin consent

Some scopes require Admin consent. This means an Admin has to give consent to the entire organization and it can be done in two ways:

  • When the Airtame Cloud app is being configured for the first time, and when prompted with the Grant permissions UI, they can select with a checkbox if they want to give consent to the entire organization.

  • From the MS Console (Azure), search the Airtame Cloud App ⇒ Permissions ⇒ Grant Admin consent.

Until then, a regular user cannot authenticate in order to use the specific Airtame Cloud app

For organizations with strict security rules, regular users may not be able to configure the Airtame Cloud app until an Admin gives consent.

 

Licenses

Some Airtame Cloud applications require usage of MS licenses.

  • OneDrive apps (Video, Powerpoint, Gallery) - they need a OneDrive license.

  • Calendar apps (Room Overview and Homescreen) - they need an Online Exchange license.

Related articles

Comments

0 comments

Please sign in to leave a comment.