Microsoft Integration Permissions

Admin and Management
  • Published on Jan 26, 2026
  • 1 minute(s) read
Prev Next

To enable seamless integration between Hub and Microsoft services like Outlook and Teams, specific permissions must be configured in your Microsoft Entra (formerly Azure AD) environment.

Requested Permissions

The following permissions are required for the Outlook and Teams widgets to function correctly:

Outlook (Mail and Calendar)

  • Calendars.Read: Allows the app to read user calendars.

  • Calendars.ReadWrite: Allows the app to read and write to user calendars.

  • Mail.Read: Allows the app to read user mail.

  • Mail.ReadBasic: Allows the app to read basic mail metadata.

  • Mail.ReadWrite: Allows the app to read and write user mail.

  • Mail.Send: Allows the app to send mail as the signed-in user.

Microsoft Teams

  • Team.ReadBasic.All: Allows the app to read names and descriptions of teams.

  • Channel.ReadBasic.All: Allows the app to read names and descriptions of channels.

  • ChannelMessage.Read.All: Allows the app to read channel messages (Requires Admin Consent).

  • Chat.Read: Allows the app to read user chat messages.

  • ChatMessage.Read: Allows the app to read user chat messages.

Files, SharePoint and Directory

  • Files.Read.All: Allows the app to read files the user has access to.

  • Sites.Read.All: Allows the app to read items in site collections the user has access to.

  • User.Read: Allows sign-in and reading of basic user profiles.

  • User.Read.All: Allows reading of all users’ full profiles (Requires Admin Consent).

  • Directory.Read.All: Allows reading of directory data (Requires Admin Consent).

Identity and Sign-in

  • openid: Sign users in.

  • profile: Read basic profile information.

  • email: Read user email addresses.

  • offline_access: Maintain access via refresh tokens.

Permission Type: Delegated

All permissions listed above are delegated. This means the app acts on behalf of the signed-in user and only accesses data the user is already permitted to see. No application-level (app-only) permissions are required, and there is no tenant-wide background access to all mailboxes.

Scoping and Testing

If you wish to test these integrations with a small group of users before a full rollout, you can manage this via your Microsoft environment:

  • Azure App Assignment: On the Thrive Hub side, widgets cannot currently be restricted to specific groups. However, your IT team can limit access by configuring App Assignment in Azure.

  • User Experience: With this configuration, all users may see the widget, but only those assigned in Azure will be able to successfully sign in and use it.

Related articles