Permissions
When granting permission for the Meeting Canary Azure AD enterprise application, you will be presented with a set of Microsoft Graph permissions you must approve.
The Microsoft Graph has two categories of permissions: application permissions and delegated permissions. Application permissions allow an app to make use of these permissions without a signed in user, while delegated permission allows only signed-in users of the application.
The majority of permissions requested by Meeting Canary are delegated permissions. Meeting Canary runs as a single page application (SPA) in a browser sandbox on the end-user device. The permissions for the user of the app are limited by both Meeting Canary Microsoft Graph permissions and the end user’s Microsoft 365 permissions.
By using delegated permissions, users of Meeting Canary will never get access to any resources they do not already have in your organization’s Microsoft 365 tenant. For example, if a user does not have access to a Microsoft 365 group in your tenant, they will not get access to that through Meeting Canary either — because Meeting Canary uses those delegated permissions.
Microsoft Graph Permissions
The following sections detail each Microsoft Graph permission scope and how Meeting Canary uses it.
Type: Application
These application permissions allow the Meeting Canary Bot to join a meeting and to send and receive audio/video streams. It also enables the bot to receive updates when participants come and go during a meeting.
| Permission Name | Description | Notes |
|---|---|---|
| Calls.AccessMedia.All | Access media streams in a call as an app | Required for Meeting and Calls Bot functionality. |
| Calls.Initiate.All | Initiate outgoing 1 to 1 calls from the app | Required for Meeting and Calls Bot functionality. |
| Calls.InitiateGroupCall.All | Initiate outgoing group calls from the app | Required for Meeting and Calls Bot functionality. |
| Calls.JoinGroupCall.All | Join group calls and meetings as an app | Required for Meeting and Calls Bot functionality. |
| Calls.JoinGroupCallAsGuest.All | Join group calls and meetings as a guest | Required for Meeting and Calls Bot functionality. |
Type: Delegated
These delegated permissions are required to enable Meeting Canary to authenticate users and also to display user names and photos.
| Permission Name | Description | Notes |
|---|---|---|
| openid | Sign users in | Required for oauth flow when using the teams app |
| profile | View users’ basic profile | Required for oauth flow when using the teams app |
| User.ReadBasic.All | Read all users’ basic profiles | Required to display profile names and pictures in the Tab interface. |
| Chat.ReadBasic | Read names and members of user chat threads | Allows the app to identify the organizer of the meeting. |
| Directory.Read.All | Read directory data | Allows the app to read data in your organization’s directory, such as users, groups and apps. (Allows checking if the user is a Global Administrator) |
| OnlineMeetings.Read | Read user’s online meetings | Allows the app to display meeting titles in the meeting history. |
Learn about Azure AD Microsoft Graph Permissions
Approving Meeting Canary
When approving permissions for yourself or your organization through the web you will be presented with a dialogue similar to this:
Please refer to the Microsoft Graph Permissions reference for full details on what permissions scopes grants access to what, as well as a full explainer from Microsoft on app permissions and admin consent.
To grant permission you must be a Global Administrator or Privileged Role Administrator. For details see Grant tenant-wide admin consent to an application