Microsoft 365 Teams Presence Permissions
When you use enable our Microsoft 365 Teams Presence integration, you must consent to permissions that Microsoft has authorized us to use. Below is a list of permissions and a description for why each one is required by Simple In/Out:
| Permission | Description |
| offline_access | Allows the app to read user data, even when they are not currently using the app, without needing the user to reauthorize with Active Directory |
| openid | Allows the app to request a token from the Microsoft Identity Provider which is used for authentication. This permission also gives access to the UserInfo endpoint on Microsoft Graph. Simple In/Out does not use the UserInfo endpoint. |
Allows the app to read the user's primary email address. Simple In/Out does not explicitly request this permission, but it is provided by Microsoft Identity Provider with the openid permission. |
|
| profile | Allows the app to see the user's basic profile (name, picture and email). Simple In/Out does not explicitly request this permission, but it is provided by Microsoft Identity Provider with the openid permission. |
| Presence.Read.All | Allows the app to read presence information of all users in the directory on behalf of the signed-in user. While we do not use this for all users, this permission is the minimum required by Microsoft Graph in order to receive presence changes from them in the background. |
Microsoft requires that any data that is included with presence change notifications to be encrypted. None of the sensitive data that is sent to Simple In/Out can be read without specific encryption keys. You can read more about Microsoft Graph Notification Subscriptions, including permissions that are required by presence subscriptions.
Pre-Granting Permissions
Microsoft has a complicated system of permissons that extend to Teams. Depending on your setup, your users may be stopped from integrating Teams Presence with Simple In/Out until they ask for permission from an administrator. In some setups, they may even be barred from asking for access to these permissions entirely.
While every setup is different, and we cannot possibly address every unique setup, there are a few steps that may help if you wish to enable the ability for your users to have consent or ask for consent if that is not currently an option.
Enable the Admin Consent Request workflow process:
- Login into Microsoft Entra.
- Navigate to Applications > Enterprise Applications > Consent and permissions > Admin consent settings.
- Ensure the setting is "Yes" and at least one user has been selected to receive the request. Do note that this will work even if the User Consent Settings are "do not allow user consent".
- Have one of your users head to simpleinout.com. Once logged in, click Settings in the upper-right, followed by Third Party Apps on the left. Click the Sign in with Microsoft button to enable the Microsoft Teams Presence connection.
- This will pop-up a window where the user can enter a business justification. Once processed, the listed admin will receive the request and allow for approve/deny action.
Once approved, the Enterprise App permissions will now have Admin consent granted for the permissions listed above. Future requests of this type will NOT require an additional admin request - it just works for all future users (as long as they are listed as users of the Enterprise App).