Introduction
Powell Governance use the authentication provided by your Azure Active directory.
A single sign-on is done immediatly for all your users in the company. No need to connect to the product, it will use automaticaly the account used in the Microsoft Teams Desktop app for all your employees.
However, to allow Powell Governance to read & display your company teams information you will need to consent two Azure applications.
Administrator consent
To allow Powell Governance users to access their Microsoft Teams data in your Office 365 environment, you need to enable the connection to the Microsoft Graph API. An Office 365 global administrator must consent the Azure Active Directory app and its permissions. Without consent, the application will not work.
learn more about Azure Active Directory App consent (Microsoft)
Note: The status of the consent by Graph can take up to 5 minutes to be updated.
Powell Governance propose two different types of permission to be able to provide it services.
- Delegated (default) permissions: used the delegated rights of the connected users to perform actions on Powell Governance on their behalf. Some actions can be done only on behalf of the user and not with application permissions.
- Application (advanced) permissions: that gives some permissions to Powell Governance application to perform actions on its own.
Delegated permissions
Main purpose: Allow user authentication
Application name: Powell 365 - Teams
Application ID: 086ae3fb-fdf0-4c49-8c38-57d082b00dc4
Permission | Purpose | Explanation(s) |
Place.Read.All | Read all company places | To be able to have access to the calendar of your company meeting rooms. |
Offline_access, Profile, Openid, Email | Maintain access to data you have given access to | To be able to manage authentication of the users. |
Notes.ReadWrite.All | Read and write all OneNote notebooks that users can access | To be able to manage OneNote creation, duplication within Powell Governance templates. |
Notes.Read.All | Read all OneNote notebooks that users can access | To be able to manage OneNote creation, duplication within Powell Governance templates. |
User.Invite.All | Invite guest users to the organization | To be able to invite guests during wokspace creations or editions when the template allows it. |
User.Read | Sign in and read user's full profiles | To be able to manage authentication of the users. And get their Microsoft Teams configuration (language, theme). It is also needed to synchronize the team list on user dashboard. |
User.Read.All | Read all user's full profiles | To be able to get Microsoft Teams users configuration (language, theme). It is also needed to synchronize the team list on user dashboard. |
Group.ReadWrite.All | Read and write all groups | To synchronize the team list on the back office and user dashboard.. Write to create teams. |
Directory.AccessAsUser.All | Access directory as the signed user | To be able to invite collegues of your company during team creations. And to be able to manage authentication of the users. |
Files.ReadWrite.All | Access to files as a the signed user | To be able to import documents within templates and private channels. |
Sites.Read.All | Read items in all site collections | To be able to synchronize the SharePoint site collections on the back office and user dashboard. |
Mail.Send |
Send email | To send emails to workspace owners within Powell Governance campaigns. |
Application permissions
Main purpose: Allow Powell Governance to analyse your environnement
Application name: Powell Governance
Application ID: 3a70d144-a78b-4aa1-9b76-3199ee7832cd
Permission | Purpose | Explanation(s) |
Sites.Read.All | Read items in all site collections | To be able to synchronize the SharePoint site collections on the back office and user dashboard. |
User.Invite.All | Invite guest users to the organization | To be able to invite guests during team creations when the template allows it. |
Files.ReadWrite.All | Read and write in all site collections files | To be able to import documents within templates and private channels. |
User.Read.All | Sign in and read all user's full profiles | To be able to get users Microsoft Teams configuration (language, theme). It is also needed to synchronize the team list on user dashboard. |
Reports.Read.All | Read all usage reports | To generate Powell Governance prebuilt and custom reports. And to synchronize the team list on the back office, user dashboard, and reports. |
ChannelMessage.Read.All | Channel message read all | To be able to be notified in case of a new message, reply, reaction in a team channel to build prebuilt and custom reports around inactivity. |
Group.ReadWrite.All | Read and write all groups | Read to allow us to build activity reports. Write to create teams. And to synchronize the workspace list on the back office, user dashboard, and reports. |
Group.Read.All | Read all groups | Read to allow us to build activity reports. Write to create teams. And to synchronize the workspace list on the back office, user dashboard, and reports. |
Directory.ReadWrite.All | Read and write directory data | To synchronize the team list on the back office, user dashboard, and reports. |
Notes.ReadWrite.All | Read and write all OneNote notebooks that users can access | To be able to manage OneNote creation, duplication within Powell Governance templates. |
Team.ReadBasic.All | Get a list of all teams & read all teams setting | To create prebuilt and custom reports, display "all Teams" page and display team settings in team edition wizard. |
TeamSettings.Read.All | Get a list of all teams & read all teams setting | To create workspaces prebuilt and custom reports, display "all Teams" page and display team settings in team edition wizard. |
ChannelMember.Read.All | Read the members of all channels | To generate workspaces prebuilt and custom reports and synchronize the team list on the back office, user dashboard, and reports. |
ReportSettings.ReadWrite.All |
Read and write all admin report settings | To generate quickly a first Powell Governance health check of the tenant with Microsoft Teams data (only Ids are used). |
Sites.FullControl.All (SharePoint) | Have complete control of all site collections (SharePoint API) | To deploy Site Design during workspaces creations and create / update / synchronize SharePoint Site collections. |
Mail.Send |
Send email | To send emails to workspace owners within Powell Governance campaigns. |
InformationProtectionPolicy.Read.All | Manage sensitivity labels |
To manage governance by applying specific rules and policies to documents, SharePoint sites, and teams. |
ChannelSettings.ReadWrite.All | Manage channels actions in team edition |
To edit channel name, description, recommendation settings in channels. |
ChannelMember.ReadWrite.All | Manage members in channel edition |
To add or remove users from private channels in team edition. |
Team creations & updates
Team creation are made with the Powell Governance application rights instead of using the connected user's rights.
Using Powell Governance application permissions to create your teams will add the Powell Governance application as team creator in the group. It's not a user and it's not visible in the teams or anywhere else.
It allows you to lock the self-service team creation in Microsoft Teams and to force users to use the Powell Governance app and its templates to create a new team.
How to configure the admin consent
To configure the admin consent, follow the steps described below :
Go to the administration menu in the global administration section and click on "Application configuration".
On the page you 2 different types of permissions you can consent:
Delegated permissions - Allow user authentication
Application permissions - Allow Powell Governance to analyse your environment