Pairing and Permissions for Microsoft
The administrator of the Microsoft organization where the Microsoft Teams meeting is hosted must first pair your Epiphan Edge Team that you will be using with Epiphan Connect. Microsoft describes an organization with the following words, "A tenant represents an organization. It's a dedicated instance of Azure AD that an organization receives at the beginning of a relationship with Microsoft. That relationship could start with signing up for Microsoft Teams or Microsoft 365, for example". During the pairing process, Microsoft will prompt the administrator that Epiphan Connect needs permission to perform the following activities:
Sign in and read user profile (User.Read): This is a basic permission for most applications in Microsoft’s ecosystem. It allows an application to obtain the basic information of the user that is signed-in. The only time when Epiphan Connect uses this permission is during the initial connection process between Epiphan Cloud and the Microsoft Teams organization, and it does so to validate that the user is the administrator of the organization to which they are connecting. The information of that user is not saved in our systems.
Microsoft describes this permission as follows: “Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.“
Access media streams in a call as an app (Calls.AccessMedia.All): While joined to a meeting, this permission allows the bot to receive the audio and video of the participants that are sharing their camera, microphone, and/or screen in the call.
Microsoft describes this permission as follows: “Allows the app to get direct access to media streams in a call, without a signed-in user.“
Join group calls and meetings as a guest (Calls.JoinGroupCallAsGuest.All): This permission is required for the bot to join group meetings in your organization.
Microsoft describes this permission as follows: “Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined as a guest to meetings in your organization.”
Join group calls and meetings as an app (Calls.JoinGroupCall.All): This permission is also required for the bot to join group meetings in your organization.
Microsoft describes this permission as follows: “Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined with the privileges of a directory user to meetings in your organization”.
Read names and members of all chat threads (Chat.ReadBasic.All): The application only uses this permission to obtain the name or title of the meeting. When a meeting is created and it is not associated to a Microsoft Teams channel, Microsoft creates a chat thread for the meeting. This chat thread has the same title as the name of the meeting. This allows Epiphan Connect to obtain the name of the meeting without requesting access to sensitive resources like the calendar of the meeting organizer. It’s important to note that this permission does NOT grant access to any message or shared content in the chat. Although the permission does grant access to the list of people involved in the chat, Epiphan Connect is not requesting this information.
Microsoft describes this permission as follows: “Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user.“
