We are thrilled to share with you that Powell Teams is now Powell Governance, marking our expanded focus on Microsoft 365!
Expect documentation to be reflect this change in the coming days. For more information, please have a look at this article.
Introduction
Powell Governance use the authentication provided by your Azure Active directory.
A single sign-on is done immediatly for all your users in the company. No need to connect to the product, it will use automaticaly the account used in the Microsoft Teams Desktop app for all your employees.
However, to allow Powell Governance to read & display your company teams information you will need to consent two Azure applications.
Administrator consent
To allow Powell Governance users to access their Microsoft Teams data in your Office 365 environment, you need to enable the connection to the Microsoft Graph API. An Office 365 global administrator must consent the Azure Active Directory app and its permissions. Without consent, the application will not work.
learn more about Azure Active Directory App consent (Microsoft)
Note: The status of the consent by Graph can take up to 5 minutes to be updated.
Powell Governance propose two different types of permission to be able to provide it services.
- Delegated (default) permissions: used the delegated rights of the connected users to perform actions on Powell Governance on their behalf. Some actions can be done only on behalf of the user and not with application permissions.
- Application (advanced) permissions: that gives some permissions to Powell Governance application to perform actions on its own.
Delegated permissions
Main purpose: Allow user authentication
Application name: Powell 365 - Teams
Application ID: 086ae3fb-fdf0-4c49-8c38-57d082b00dc4
Permission | Purpose | Explanation(s) |
Place.Read.All | Read all company places | To be able to have access to the calendar of your company meeting rooms. |
Offline_access, Profile, Openid, Email | Maintain access to data you have given access to | To be able to manage authentication of the users. |
Notes.ReadWrite.All | Read and write all OneNote notebooks that users can access | To be able to manage OneNote creation, duplication within Powell Governance templates. |
Notes.Read.All | Read all OneNote notebooks that users can access | To be able to manage OneNote creation, duplication within Powell Governance templates. |
User.Invite.All | Invite guest users to the organization | To be able to invite guests during wokspace creations or editions when the template allows it. |
User.Read | Sign in and read user's full profiles | To be able to manage authentication of the users. And get their Microsoft Teams configuration (language, theme). It is also needed to synchronize the team list on user dashboard. |
User.Read.All | Read all user's full profiles | To be able to get Microsoft Teams users configuration (language, theme). It is also needed to synchronize the team list on user dashboard. |
Group.ReadWrite.All | Read and write all groups | To synchronize the team list on the back office and user dashboard.. Write to create teams. |
Directory.AccessAsUser.All | Access directory as the signed user | To be able to invite collegues of your company during team creations. And to be able to manage authentication of the users. |
Files.ReadWrite.All | Access to files as a the signed user | To be able to import documents within templates and private channels. |
Sites.Read.All | Read items in all site collections | To be able to synchronize the SharePoint site collections on the back office and user dashboard. |
Mail.Send |
Send email | To send emails to workspace owners within Powell Governance campaigns. |
Application permissions
Main purpose: Allow Powell Governance to analyse your environnement
Application name: Powell Governance
Application ID: 3a70d144-a78b-4aa1-9b76-3199ee7832cd
Permission | Purpose | Explanation(s) |
Sites.Read.All | Read items in all site collections | To be able to synchronize the SharePoint site collections on the back office and user dashboard. |
User.Invite.All | Invite guest users to the organization | To be able to invite guests during team creations when the template allows it. |
Files.ReadWrite.All | Read and write in all site collections files | To be able to import documents within templates and private channels. |
User.Read.All | Sign in and read all user's full profiles | To be able to get users Microsoft Teams configuration (language, theme). It is also needed to synchronize the team list on user dashboard. |
Reports.Read.All | Read all usage reports | To generate Powell Governance prebuilt and custom reports. And to synchronize the team list on the back office, user dashboard, and reports. |
ChannelMessage.Read.All | Channel message read all | To be able to be notified in case of a new message, reply, reaction in a team channel to build prebuilt and custom reports around inactivity. |
Group.ReadWrite.All | Read and write all groups | Read to allow us to build activity reports. Write to create teams. And to synchronize the workspace list on the back office, user dashboard, and reports. |
Group.Read.All | Read all groups | Read to allow us to build activity reports. Write to create teams. And to synchronize the workspace list on the back office, user dashboard, and reports. |
Directory.ReadWrite.All | Read and write directory data | To synchronize the team list on the back office, user dashboard, and reports. |
Notes.ReadWrite.All | Read and write all OneNote notebooks that users can access | To be able to manage OneNote creation, duplication within Powell Governance templates. |
Team.ReadBasic.All | Get a list of all teams & read all teams setting | To create prebuilt and custom reports, display "all Teams" page and display team settings in team edition wizard. |
TeamSettings.Read.All | Get a list of all teams & read all teams setting | To create workspaces prebuilt and custom reports, display "all Teams" page and display team settings in team edition wizard. |
ChannelMember.Read.All | Read the members of all channels | To generate workspaces prebuilt and custom reports and synchronize the team list on the back office, user dashboard, and reports. |
ReportSettings.ReadWrite.All This permission is not essential for the operation of the app |
Read and write all admin report settings | To generate quickly a first Powell Governance health check of the tenant with Microsoft Teams data (only Ids are used). |
Sites.FullControl.All (SharePoint) | Have complete control of all site collections (SharePoint API) | To deploy Site Design during workspaces creations and create / update / synchronize SharePoint Site collections. |
Mail.Send |
Send email | To send emails to workspace owners within Powell Governance campaigns. |
InformationProtectionPolicy.Read.All | Manage sensitivity labels | To manage governance by applying specific rules and policies to documents, SharePoint sites, and teams. |
Team creations & updates
Team creation are made with the Powell Governance application rights instead of using the connected user's rights.
Using Powell Governance application permissions to create your teams will add the Powell Governance application as team creator in the group. It's not a user and it's not visible in the teams or anywhere else.
It allows you to lock the self-service team creation in Microsoft Teams and to force users to use the Powell Governance app and its templates to create a new team.
How to configure the admin consent
To configure the admin consent, follow the steps described below :
Step 1: Go to the administration menu in the global administration section and click on "Authentication".
Step 2: Choose "Advanced"
ADVANCED: You need to click on the additional admin consent button and validate the app with an Office 365 global admin account
User access rights
A default user will always use the "delegated permission" access. that means that the user can only interact with functionalities if he has the rights for it in Microsoft 365. As example, if the user is a member of a team, he cannot access functionalities set to the owners.
Powell GovernanceAdministrator access rights
When a user is set as Powell Governance administrators, "delegated permission" access is stil use. But for specific features like the governance reports and facilitate governance actions, the Powell Governance application will show to him all the teams in your environment even the ones he can't access by default if you are in "advanced authentication".
Note: the administrator who will make the first admin consent will be the first Powell Governance administrator in the application. With this account you will be able to add additional administrators