Authentication & Security access

We're thrilled to share that Powell Teams is now Powell Governance, marking our expanded focus on Microsoft 365 governance.


Powell_Governance_V1 1.png

Expect documentation updates to reflect this change in the coming days. For more information please have a look at this article.

Introduction

Powell Governance use the authentication provided by your Azure Active directory. 

A single sign-on is done immediatly for all your users in the company. No need to connect to the product, it will use automaticaly the account used in the Microsoft Teams Desktop app for all your employees. 

However, to allow Powell Governance to read & display your company teams information you will need to consent two Azure applications.

 

Administrator consent

To allow Powell Governance users to access their Microsoft Teams data in your Office 365 environment, you need to enable the connection to the Microsoft Graph API. An Office 365 global administrator must consent the Azure Active Directory app and its permissions. Without consent, the application will not work.

learn more about Azure Active Directory App consent (Microsoft)

Note: The status of the consent by Graph can take up to 5 minutes to be updated.

Powell Governance propose two different types of permission to be able to provide it services.

  • Delegated (default) permissions: used the delegated rights of the connected users to perform actions on Powell Governance on their behalf. Some actions can be done only on behalf of the user and not with application permissions.
  • Application (advanced) permissions: that gives some permissions to Powell Governance application to perform actions on its own.

 

Delegated permissions 

Main purpose: Allow user authentication

Application name: Powell 365 - Teams

Application ID: 086ae3fb-fdf0-4c49-8c38-57d082b00dc4

MicrosoftTeams-image (11) (2).png

Permission Purpose Explainations
Place.Read.All Read all company places To be able to have access to the calendar of your company meeting rooms.
Offline_access, Profile, Openid, Email Maintain access to data you have given access to To be able to manage authentication of the users.
Notes.ReadWrite.All Read and write all OneNote notebooks that users can access To be able to manage OneNote creation, duplication within Powell Governance templates.
Notes.Read.All Read all OneNote notebooks that users can access To be able to manage OneNote creation, duplication within Powell Governance templates.
User.Invite.All Invite guest users to the organization To be able to invite guests during wokspace creations or editions when the template allows it.
Calendars.ReadWrite.Shared Read and write in all users' calendars and shared calendars To check users' availability and create online meetings for coffee machine.
Calendars.Read.Shared Read in all users' shared calendars calendars To check users' availability and create online meetings for coffee machine.
Calendars.ReadWrite Read and write in all users' calendars To check users' availability and create online meetings for coffee machine.
User.Read Sign in and read user's full profiles To be able to manage authentication of the users. And get their Microsoft Teams configuration (language, theme). It is also needed to synchronize the team list on user dashboard.
User.Read.All Read all user's full profiles To be able to get Microsoft Teams users configuration (language, theme). It is also needed to synchronize the team list on user dashboard.
Group.ReadWrite.All Read and write all groups To synchronize the team list on the back office and user dashboard.. Write to create teams.
Directory.AccessAsUser.All Access directory as the signed user To be able to invite collegues of your company during team creations. And to be able to manage authentication of the users.
Files.ReadWrite.All Access to files as a the signed user To be able to import documents within templates and private channels.
Sites.Read.All Read items in all site collections To be able to synchronize the SharePoint site collections on the back office and user dashboard.

 

Application permissions 

Main purpose: Allow Powell Governance to analyse your environnement

Application name: Powell Governance

Application ID: 3a70d144-a78b-4aa1-9b76-3199ee7832cd

Capture d'écran 2023-12-18 170810.png

Permission Purpose Explainations
Sites.Read.All Read items in all site collections To be able to synchronize the SharePoint site collections on the back office and user dashboard.
User.Invite.All Invite guest users to the organization To be able to invite guests during team creations when the template allows it.
Files.ReadWrite.All Read and write in all site collections files To be able to import documents within templates and private channels.
User.Read.All Sign in and read all user's full profiles To be able to get users Microsoft Teams configuration (language, theme). It is also needed to synchronize the team list on user dashboard.
Reports.Read.All Read all usage reports To generate Powell Governance prebuilt and custom reports. And to synchronize the team list on the back office, user dashboard, and reports.
ChannelMessage.Read.All Channel message read all To be able to be notified in case of a new message, reply, reaction in a team channel to build prebuilt and custom reports around inactivity.
Group.ReadWrite.All Read and write all groups Read to allow us to build activity reports. Write to create teams. And to synchronize the workspace list on the back office, user dashboard, and reports.
Group.Read.All Read all groups Read to allow us to build activity reports. Write to create teams. And to synchronize the workspace list on the back office, user dashboard, and reports.
Directory.ReadWrite.All Read and write directory data To synchronize the team list on the back office, user dashboard, and reports.
Calendars.ReadWrite Read and write calendars in all mailboxes Manage online meetings for coffee machine.
OnlineMeetings.ReadWrite.All Read and write calendars in all mailboxes Manage online meetings for coffee machine.
Notes.ReadWrite.All Read and write all OneNote notebooks that users can access To be able to manage OneNote creation, duplication within Powell Governance templates.
Team.ReadBasic.All Get a list of all teams & read all teams setting To create prebuilt and custom reports, display "all Teams" page and display team settings in team edition wizard.
TeamSettings.Read.All Get a list of all teams & read all teams setting To create workspaces prebuilt and custom reports, display "all Teams" page and display team settings in team edition wizard.
ChannelMember.Read.All Read the members of all channels To generate workspaces prebuilt and custom reports and synchronize the team list on the back office, user dashboard, and reports.
ReportSettings.ReadWrite.All Read and write all admin report settings To generate quickly a first Powell Governance health check of the tenant with Microsoft Teams data (only Ids are used).
Sites.FullControl.All (SharePoint) Have complete control of all site collections (SharePoint API) To deploy Site Design during workspaces creations and create / update / synchronize SharePoint Site collections

 

Team creations & updates

Team creation are made with the Powell Governance application rights instead of using the connected user's rights.

Using Powell Governance application permissions to create your teams will add the Powell Governance application as team creator in the group. It's not a user and it's not visible in the teams or anywhere else.

Advanced_app.png

It allows you to lock the self-service team creation in Microsoft Teams and to force users to use the Powell Governance app and its templates to create a new team.

 

To configure the admin consent, follow the steps described below : 

 

Step 1: Go to the administration menu in the global administration section and click on "Authentication". 

Screenshot_2021-12-16_at_14.03.46.png

 

Step 2: Choose "Advanced" 

mceclip1.png
 

ADVANCED: You need to click on the additional admin consent button and validate the app with an Office 365 global admin account 

 

User access rights

A default user will always use the "delegated permission" access. that means that the user can only interact with functionalities if he has the rights for it in Microsoft 365.  As example, if the user is a member of a team, he cannot access functionalities set to the owners. 

 

Powell GovernanceAdministrator access rights

When a user is set as Powell Governance administrators, "delegated permission" access is stil use.  But for specific features like the governance reports and facilitate governance actions, the Powell Governance application will show to him all the teams in your environment even the ones he can't access by default if you are in "advanced authentication". 

Note:  the administrator who will make the first admin consent will be the first Powell Governance administrator in the application. With this account you will be able to add additional administrators 

 

Was this article helpful?
1 out of 2 found this helpful