When you connect BindTuning to your Microsoft 365 tenant, understanding the necessary permissions is key. This article details the roles required for initial setup and ongoing operations.
Connecting to your Microsoft 365 tenant
For the first-time connection to your Microsoft 365 tenant, you must use a Global Administrator account.
Why is a Global Administrator required for the initial setup
During this initial connection, you will be prompted to consent to a specific set of permissions that BindTuning requires to function correctly within your Microsoft 365 environment. This consent process can only be performed by a Global Administrator.
Microsoft 365 Global Administrator credentials are only required during this initial connection. Subsequent logins or daily operations do not necessitate Global Administrator privileges.
Future permission prompts
Occasionally, when installing a newer version of our products, you might encounter additional permission prompts. This occurs if new functionalities have been introduced that require updated or additional permissions to ensure BindTuning products operate as expected.
BindTuning App Permissions
When you connect BindTuning to your Microsoft 365 tenant, the necessary permissions are automatically granted through your consent during the initial connection process.
BindTuning operates as an Enterprise Application within your Azure Portal. This standard setup allows us to securely interact with Microsoft's APIs and leverage modern authentication features, such as Multi-Factor Authentication. We use the Microsoft Graph API to perform these operations.
BindTuning requires two types of permissions to function correctly:
Application Permissions:
what we can do independently, without a signed-in user.
Delegated Permissions:
what we can do on behalf of the signed-in user.
BindTuning Provisioning
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sign users in (openid) | Delegated | Enables BindTuning to sign you in and scan your environment on your behalf. |
View users' basic profile (profile) | Delegated | Allows the BindTuning App to see your users' basic profile (name, picture, user name). |
View users' email address (email) | Delegated | Allows the BindTuning App to read your users' primary email address. |
Maintain access to data you have given it access to (offline_access) | Delegated | Allows the BindTuning App to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
Read items in all site collections (Sites.Read.All) | Delegated | Allows the BindTuning App to read documents and list items in all site collections on behalf of the signed-in user. |
Edit or delete items in all site collections (Sites.ReadWrite.All) | Delegated | Allows the BindTuning App to edit or delete documents and list items in all site collections on behalf of the signed-in user. |
Read and write to all app catalogs (AppCatalog.ReadWrite.All) | Delegated | Allows the BindTuning App to create, read, update, and delete apps in the app catalogs. |
Read and write all groups (Group.ReadWrite.All) | Delegated | Allows the BindTuning App to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. |
Read and write all users' full profiles (User.ReadWrite.All) | Delegated | Allows the BindTuning App to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Have full control of all site collections (AllSites.FullControl) | Delegated | Grants the BindTuning App full control over all site collections in SharePoint Online, allowing it to read, create, update, and delete content and configurations across the entire tenant. |
BindTuning Provisioning (EDU)
This enterprise application is specific to Office 365 Education tenants
In Education tenants, we also require the following Microsoft Graph permissions:
Permission | Type | Why do we need it |
Add and remove members from all channels (ChannelMember.ReadWrite.All) | Application | Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member's role - e.g from owner to non-owner. |
Read and write the organization's roster (EduRoster.ReadWrite.All) | Application | Allows the BindTuning App to read and write the structure of schools and classes in the organization's roster, and education-specific information about all users to be read and written. |
Read and write all groups (Group.ReadWrite.All) | Application | Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. |
Add and remove members from all teams (TeamMember.ReadWrite.All) | Application | Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. |
Read and write all users' full profiles (User.ReadWrite.All) | Application | Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
BindTuning Provisioning (Compliance Administration)
This enterprise application (optional) is responsible for retrieving Retention Labels for SharePoint sites, from the Microsoft Purview Compliance Center, enabling automated classification and governance of SharePoint content.
The following Microsoft Graph permissions are required for this enterprise application:
Permission | Type | Why do we need it |
Read and write all directory RBAC settings (Exchange.ManageAsApp) | Application | Allows the BindTuning App to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. |
The following Office 365 Exchange Online is also required:
Permission | Type | Why do we need it |
Manage Exchange As Application (Exchange.ManageAsApp) | Application | Allows the BindTuning App the ability to manage Exchange Online mailboxes and settings on behalf of the organization, allowing background services to perform operations without user interaction. |
BindTuning SharePoint Connection
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sign users in (openid) | Delegated | Enables BindTuning to sign you in and scan your environment on your behalf. |
View users' basic profile (profile) | Delegated | Allows the BindTuning App to see your users' basic profile (name, picture, user name). |
View users' email address (email) | Delegated | Allows the BindTuning App to read your users' primary email address. |
Maintain access to data you have given it access to (offline_access) | Delegated | Allows the BindTuning App to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
Read items in all site collections (Sites.Read.All) | Delegated | Allows the BindTuning App to read documents and list items in all site collections on behalf of the signed-in user. |
Read and write all users' full profiles (User.Read) | Delegated | Allows the BindTuning App to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Have full control of all site collections (AllSites.Read) | Delegated | Grants the BindTuning App read all site collections that the signed-in user has access to. |
Read user profiles (User.Read.All) | Delegated | Allows the BindTuning App to read the full profiles of all users in the organization on behalf of the signed-in user. |
BindTuning Analyzer
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Read all applications (Application.Read.All) | Application | Allows the BindTuning App to read applications and service principals on behalf of the signed-in user. |
Allows the app to read and query your audit log activities, without a signed-in user (AuditLog.Read.All) | Application | Allows the BindTuning App to read and query your audit log activities, on behalf of the signed-in user. |
Read the members of all channels, without a signed-in user (ChannelMember.Read.All) | Application | Read the members of channels, on behalf of the BindTuning App.
|
Read the names, descriptions, and settings of all channels (ChannelSettings.Read.All) | Application | Read all channel names, channel descriptions, and channel settings, on behalf of the BindTuning App. |
Read directory data (Directory.Read.All) | Application | Allows the BindTuning App to read data in your organization's directory, such as users, groups and apps. |
Read files in all site collections (Files.Read.All) | Application | Allows the BindTuning App to read all files the signed-in user can access. |
Read organization information (Organization.Read.All) | Application | Allows the BindTuning App to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed skus and tenant branding information. |
Read all security alerts (SecurityAlert.Read.All) | Application | Allows the BindTuning App to read all security alerts. |
Read your organization’s security events (SecurityEvents.Read.All) | Application | Allows the BindTuning App to read your organization’s security events on behalf of the signed-in user. |
Read all security incidents (SecurityIncident.Read.All) | Application | Allows the BindTuning App to read security incidents. |
Read and write items in all site collections (Sites.ReadWrite.All) | Application | Allows the BindTuning App to edit or delete documents and list items in all site collections. |
Get a list of all teams (Team.ReadBasic.All) | Application | Allow BindTuning App to read the names and descriptions of teams. |
Read the members of all teams (TeamMember.Read.All) | Application | Allow BindTuning App to read the members of teams. |
Read installed Teams apps for all installation scopes (TeamsAppInstallation.Read.All) | Application | Allows the BindTuning App to read the Teams apps that are installed in any scope, without a signed-in user. Does not give the ability to read application-specific settings. |
Read all teams' settings (TeamSettings.Read.All) | Application | Allow BindTuning App to read all teams' settings. |
Read tabs in Microsoft Teams. (TeamsTab.Read.All) | Application | Read the names and settings of tabs inside any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs. |
Read all users' full profiles (User.Read.All) | Application | Allows the BindTuning App to read the full set of profile properties, reports, and managers of other users in your organization. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Read items in all site collections (Sites.Read.All) | Application | Allows the BindTuning App to read documents and list items in all site collections. |
Read user profiles (User.Read.All) | Application | Allows the BindTuning App to read the full set of profile properties, reports, and managers of other users in your organization |
BindTuning.com
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sign you in and read your profile (User.Read) | Delegated | Allows the BindTuning App to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
Sign users in (openid) | Delegated | Enables BindTuning to sign you in and scan your environment on your behalf. |
View users' basic profile (profile) | Delegated | Allows the BindTuning App to see your users' basic profile (name, picture, user name). |
Maintain access to data you have given it access to (offline_access) | Delegated | Allows the BindTuning App to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
What data does BindTuning store?
To interact with Microsoft Graph and manage resources on your behalf, the BindTuning App obtains an access token from the Microsoft identity platform. This token is attached to requests sent to Microsoft Graph.
After a user authenticates, a refresh token is securely stored in Microsoft Azure Key Vault. This refresh token allows BindTuning to request new access tokens when needed (e.g., when you reinstall a product), without requiring you to re-authenticate or re-consent to permissions every time.
Review App permissions in your tenant
You can review and manage the permissions granted to the BindTuning application directly within your Azure Portal.
To do so:
Go to the Azure Portal.
In the search bar, type "Enterprise applications" and select it from the results.
In the list of enterprise applications, search for "BindTuning Provisioning" and select the application.
Under the "Security" section in the left-hand menu, select "Permissions." Here you will see the full list of permissions granted to BindTuning.
Revoking consents
There are two main scenarios where you might need to revoke the permissions granted to BindTuning: for troubleshooting purposes or if you no longer wish to use BindTuning products.
For troubleshooting issues: If you're experiencing problems installing or using a product, it might be due to an issue with your current refresh token. Revoking the consent can often resolve this by prompting a fresh token request upon your next installation attempt.
When no longer using BindTuning: If you decide to stop using BindTuning products, revoking consent ensures that BindTuning no longer has access to your Microsoft 365 tenant data.
For detailed instructions on how to revoke consent, please refer to our article: How to revoke BindTuning tenant-wide consent.