Introduction
Powell Teams use the authentication provided by your Azure Active directory.
A single sign-on is done immediatly for all your users in the company. no need to connect to the product, it will use automaticaly the account used in the Microsoft Teams Desktop app for all your employees.
However, to allow Powell Teams to read & display your company teams information you will need to consent two Azure applications.
Admin consent
To allow Powell Teams users to access their Microsoft Teams data in your Office 365 environment, You need to enable the connection to the Microsoft Graph API. An Office 365 global administrator must consent the Azure Active Directory app and its permissions. Without consent, the application will not work.
learn more about Azure Active Directory App consent (Microsoft)
Note: The status of the consent by Graph can take up to 1 minute to be updated.
Powell Teams propose two different types of permission levels, a default one (mandatory), that use the delegated rights of the connected users to perform actions on Powell Teams. And a second one, the advanced that gives some permissions to Powell Teams application to perform actions on its own.
We recommend consenting to the advanced one to be able to benefit from all the Powell Teams features and improve your experience.
Here are the required rights needed for the default permission:
- Read all company places: To be able to have access to the calendar of your company meeting rooms.
- Maintain access to data you have given access to: To be able to manage authentication of the users.
- Read and write all OneNote notebooks that users can access: To manage OneNote content in team templates.
- Invite guest users to the organization: To be able to invite guests during team creations when the template allows it.
- Read and write in all users' calendars and shared calendars: To check users' availability and create online meetings sent by Coffee machine invitations. And to manage desk booking with Flexdesk Powell Teams tab.
- Sign in and read all user's full profiles: To be able to manage authentication of the users. And get their Microsoft Teams configuration (language, theme). It is also needed to synchronize the team list on the back office and user dashboard.
- Read and write all groups: To synchronize the team list on the back office and user dashboard.. Write to create teams.
- Access directory as the signed user: To be able to invite collegues of your company during team creations. And to be able to manage authentication of the users.
- Access to files as a the signed user: To be able to import documents into private channels.
- Read items in all site collections: To be able to generate Together portals and also to synchronize the team list on the back office and user dashboard.
Here are the required rights needed for the advanced permission (recommended):
- Read all app catalogs: To be able to generate Together portal.
- Read items in all site collections: To retrieve content associated with the connected user rights and also to synchronize the team list on the back office, user dashboard, and reports.
- Invite guest users to the organization: To be able to invite guests during team creations when the template allows it.
- Read and write in all site collections files: To be able to import documents into private channels.
- Sign in and read all user's full profiles: To get the user's Microsoft Teams configuration (language, theme). It is also needed to synchronize the team list on the back office, user dashboard, and reports.
- Read all usage reports: To generate Powell Teams reports. And to synchronize the team list on the back office, user dashboard, and reports.
- Channel message read all: To be able to be notified in case of a new message, reply, reaction in a team channel to build the inactive team report.
- Read and write all groups: Read to allow us to build activity reports. Write to create teams. And to synchronize the team list on the back office, user dashboard, and reports.
- Read and write directory data: To synchronize the team list on the back office, user dashboard, and reports.
- Read and write calendars in all mailboxes: To check users' avaibility and create online meetings sent by Coffee machine invitations. Manage desk booking with Flexdesk Powell Teams tab.
- Read and create online meetings: To send Coffee machine invitations.
- Read and write all OneNote Notebooks: To manage OneNote content in team templates.
- Get a list of all teams & read all teams setting: To create reports and "all Teams" page and display team settings in team edition wizard.
- Read the members of all channels: To generate team reports and synchronize the team list on the back office, user dashboard, and reports.
- Read and write all admin report settings: To generate quickly a first Powell Teams health check of the tenant with Microsoft Teams data (only Ids are used).
- Have complete control of all site collections (SharePoint API): To deploy Site Design in team creations.
Some of the permissions are needed for default and advanced permissions as actions can be performed by the connected user or by the application (only in advanced).
After consenting to the "Advanced permission" based on the application permission you are still able to active some additional features or not.
Team creations & updates with advanced permissions
Team creation are made with the Powell Teams application rights instead of using the connected user's rights.
Using Powell Teams application permissions to create your teams will add the Powell Teams - Advanced Permissions application as team creator in the group. It's not a user and it's not visible in the teams or anywhere else.
It allows you to lock the self-service team creation in Microsoft Teams and to force users to use the Powell Teams app and its templates to create a new team.
How to configure the admin consent
To configure the admin consent, follow the steps described below :
Step 1: Go to the administration menu in the global administration section and click on "Authentication".
Default permissions are set by default after your first administrator consent.
Step 2: Choose between "Advanced" and "Enterprise", depending on your requirements
ADVANCED: You need to click on the additional admin consent button and validate the app with an O365 global admin account
ENTERPRISE: You need to create your own AAD app in Azure with the required right first then put your client id & client secret in the form.
For more information go to the following page: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-credentials
User access rights
A default user will always use the "delegated permission" access. that means that the user can only interact with functionalities if he has the rights for it in Microsoft 365. As example, if the user is a member of a team, he cannot access functionalities set to the owners.
Powell Teams Administrator access rights
When a user is set as Powell Teams administrators, "delegated permission" access is stil use. But for specific features like the governance reports and facilitate governance actions, the Powell Teams application will show to him all the teams in your environment even the ones he can't access by default if you are in "advanced authentication".
Note: the administrator who will make the first admin consent will be the first Powell Teams administrator in the application. With this account you will be able to add additional administrators