Data Access (Application and Delegated Permissions)
To work properly, the EUM app requires access to users' data. The EUM app will request permission to access this data. Consent is granted by admins or non-admin users, depending on the consent type required.
*NOTE: EUM uses the Admin consent and Dynamic user consent types.
- Admin consent, a Microsoft 365 global admin is asked to approve the Application permissions and a set of the Delegated permissions on behalf of all users in the organization. This type of consent is available during the EUM installation.
- For Dynamic user consent, a Microsoft 365 global admin is asked to approve the set of permissions on behalf of a single user. These permissions will be requested dynamically during the creation of Meetings. For example, we request OnlineMeetings.ReadWrite so EUM will have that permission to create a meeting for the user when the user consents to it.
Dynamic user consent can be performed using Microsoft Graph PowerShell. This can be helpful, for example, when user consent is disabled or restricted by the organization's policies. It can also be applied in cases when an organization, due to its security policy, gives permission to grant the user consent by the exclusively assigned user (account). For detailed information, see Microsoft’s documentation.
The permissions used by EUM are Application and Delegated:
- The Application permissions are used by the app to run without a present, signed-in user, for example, to run as background services. Only a Microsoft 365 global admin can consent to Application permissions.
- The Delegated permissions are used by the app to run with a present, signed in user. The app is delegated the permission to act as a signed-in user when it makes calls to the target resource. In this case, either user or admin consent is required to consent to the permissions that the app requests.
Data access doesn't enable an EUM employee to access your data.
The EUM app uses the same authentication infrastructure used by Microsoft 365. Your data is protected by the Microsoft 365 security framework, including multi-factor authentication. The actual sign-in screen is provided and hosted by Microsoft. The EUM sign-in process displays identical sign-in screens, and the flow is the same as if you were to sign in to Microsoft 365.
In other words, users can access data within EUM based on their existing access rights in Office 365, and can't access data of another user via EUM. This means that the scope list in the next section won't allow users to see more data than what they're allowed to see in Microsoft 365. For instance, the SharePoint Sites.Read.All scope will allow users to see only the SharePoint data they have access to in SharePoint. It won't allow users to see all data in all sites in SharePoint because the data remains governed by SharePoint.
Regardless of the user interface (the screens provided by SharePoint or the screens provided by the EUM app), users will be able to access only the data they have access to within SharePoint. SharePoint is governed by the Microsoft 365 sign-in infrastructure so the data can't be accessed by users other than those who have access to your Microsoft 365 tenant.
The EUM app uses access scopes provided by the data providers. In the following sections, you'll find the scope list that EUM may use.
Admin Consent Permissions
The Users Page in the EUM Admin is where the detailed information on each user and role memberships and permissions are presented and managed. To provide this level of detail, EUM regularly checks Microsoft Graph and synchronizes this data with the EUM application.
To read Microsoft Graph, EUM uses the following Application scoped permissions:
Read all group memberships (claim value=GroupMember.Read.All): allows the EUM app to expand Microsoft Entra ID group members and Office 365 groups, which is necessary to display the membership and owners of groups.
Read all users' full profile (claim value=User.Read.All): EUM synchronizes Account Name, Display Name, Email, Department, Job Title, Office, Country, City, Manager ID/Email. This permission allows the EUM app to read the full user profile, to define users' managers in order to build the hierarchy reports, to search and filter users' data on the Users Page.
Invite guest users to the organization (claim value=User.Invite.All): allows EUM to invite external users and is needed to allow a business user to invite guest users to applications secured by Microsoft Entra ID (EUM Portal, SharePoint Online, EUM Admin etc).
Have full control of all site collections (claim value=Sites.ReadWrite.All): allows significantly improved tenant provisioning. The global app catalog is used to automate the upload of SPFX and the EUM add-in during the tenant provisioning. This permission enables Microsoft 365 global admin to create EUM SharePoint site collections (Documents, Data Portal, Data Room etc.) from the Group creation area of the EUM Admin.
Read all users' full profile (claim value=User.Read.All): allows the EUM app to read the full profile of currently logged-in users.
- Sign in and read user profile (claim value=User.Read): allows users to sign in to the EUM app using the customer’s Microsoft Entra ID. It also allows the app to read the profile and basic company information of the signed-in user.
- Have full control of all site collections (claim value=AllSites.Read): this permission enables EUM users to retrieve the security-trimmed contents stored in SharePoint.
- Read group memberships (claim value = GroupMember.Read.All): this permission enables EUM users to access the group properties they are members of.
IMPORTANT : This only works within the EUM application when Microsoft Entra ID external collaboration is enabled by the Customer's Microsoft 365 Global Admin. Follow these steps to configure external collaboration settings:
Enable B2B external collaboration settings: https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure
How to Collaborate with guests in SharePoint Online: https://learn.microsoft.com/en-us/microsoft-365/solutions/collaborate-in-site?view=o365-worldwide
SharePoint tenant external sharing settings and site collection external sharing settings are enabled on the site collection(s) hosting content for the EUM Portal.
Dynamic User Consent Permissions
Read and create users' online meetings (claim value=OnlineMeetings.ReadWrite) — allows the EUM app to create, read, update, and delete online meeting events. Permission for this is requested dynamically during the request to create a new meeting. The permission is requested for a single user and should be accepted by a common, non-admin user.