When you connect BindTuning to your Microsoft 365 tenant, understanding the necessary permissions is key. This article details the roles required for initial setup and ongoing operations.
Connecting to your Microsoft 365 tenant
For the first-time connection to your Microsoft 365 tenant, you must use a Global Administrator account.
Why is a Global Administrator required for the initial setup
During this initial connection, you will be prompted to consent to a specific set of permissions that BindTuning requires to function correctly within your Microsoft 365 environment. This consent process can only be performed by a Global Administrator.
Microsoft 365 Global Administrator credentials are only required during this initial connection. Subsequent logins or daily operations do not necessitate Global Administrator privileges.
Future permission prompts
Occasionally, when installing a newer version of our products, you might encounter additional permission prompts. This occurs if new functionalities have been introduced that require updated or additional permissions to ensure BindTuning products operate as expected.
BindTuning App Permissions
When you connect BindTuning to your Microsoft 365 tenant, the necessary permissions are automatically granted through your consent during the initial connection process.
BindTuning operates as an Enterprise Application within your Azure Portal. This standard setup allows us to securely interact with Microsoft's APIs and leverage modern authentication features, such as Multi-Factor Authentication. We use the Microsoft Graph API to perform these operations.
BindTuning requires two types of permissions to function correctly:
Application Permissions:
what we can do independently, without a signed-in user.Delegated Permissions:
what we can do on behalf of the signed-in user.
BindTuning.com
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sign you in and read your profile (User.Read) | Delegated | Allows the application to read basic profile information of the signed-in user in Microsoft Entra ID. This permission enables BindTuning to identify the user and personalize its features without accessing additional user data. |
Sign users in (openid) | Delegated | Enables BindTuning to sign you in and scan your environment on your behalf. |
View users' basic profile (profile) | Delegated | Allows the BindTuning App to see your users' basic profile (name, picture, user name). |
Maintain access to data you have given it access to (offline_access) | Delegated | Allows the BindTuning App to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
User.Read | Delegated | Allows the application to read basic profile information of the signed-in user in Microsoft Entra ID. This permission enables BindTuning to identify the user and personalize its features without accessing additional user data. |
Intranet
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
View users' email address (email) | Delegated | Allows the BindTuning App to read your users' primary email address. |
AppCatalog.ReadWrite.All | Delegated | Allows the BindTuning App to read and manage the tenant app catalog in Microsoft SharePoint Online. This permission enables BindTuning to deploy and update SharePoint Framework (SPFx) solutions, manage app packages, and ensure solutions are available across site collections for proper operation. |
Application.Read.All | Application | Allows the application to read all app registrations and their configuration in Microsoft Entra ID. This permission enables BindTuning to access existing application settings and configurations needed to ensure proper integration and operation of its features. |
Directory.ReadWrite.All | Delegated | Allows the application to read and manage directory data in Microsoft Entra ID. This permission enables BindTuning to maintain and update directory-related configurations required for its features to operate correctly across the environment. |
Group.Read.All | Application | Allows the application to read all group information in Microsoft Entra ID and across Microsoft 365. This permission enables BindTuning to access group details such as membership, settings, and identifiers to support collaboration features, reporting, and workflows, without making any changes. |
Group.ReadWrite.All | Delegated | Allows the application to read and manage groups in Microsoft Entra ID and across Microsoft 365. This permission enables BindTuning to create, update, and maintain group configurations, ensuring that collaboration structures such as teams and associated resources function properly. |
Sites.Read.All | Application | Allows the application to read all sites and their content in Microsoft SharePoint Online. This permission enables BindTuning to access site content for operations like retrieving configurations, scanning environment structure, or supporting its features without making changes to the sites. |
Sites.ReadWrite.All | Delegated | Allows the application to read and manage all sites and their content in Microsoft SharePoint Online. This permission enables BindTuning to create, update, and manage site content and structure, ensuring that its solutions and features function properly across the tenant. |
TeamsAppInstallation.ReadWriteForUser | Delegated | Allows the application to manage the installation of apps for a user in Microsoft Teams. This permission enables BindTuning to install, update, or remove Teams apps on behalf of users to ensure that its solutions are properly available and functional within their Teams environment. |
User.Read.All | Application | Allows the application to read basic profile information of the signed-in user in Microsoft Entra ID. This permission enables BindTuning to identify the user and personalize its features without accessing additional user data. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
AllSites.FullControl | Delegated | Allows the application to have full control over all sites and their content in Microsoft SharePoint Online. This permission enables BindTuning to fully manage site content, structure, and configuration, ensuring that its solutions and features function correctly across the tenant. |
Sites.Read.All | Application | Allows the application to read all sites and their content in Microsoft SharePoint Online. This permission enables BindTuning to access site content for operations like retrieving configurations, scanning environment structure, or supporting its features without making changes to the sites. |
User.Read.All | Application | Allows the application to read basic profile information of the signed-in user in Microsoft Entra ID. This permission enables BindTuning to identify the user and personalize its features without accessing additional user data. |
Automate365
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sign users in (openid) | Delegated | Enables BindTuning to sign you in and scan your environment on your behalf. |
View users' basic profile (profile) | Delegated | Allows the BindTuning App to see your users' basic profile (name, picture, user name). |
View users' email address (email) | Delegated | Allows the BindTuning App to read your users' primary email address. |
Maintain access to data you have given it access to (offline_access) | Delegated | Allows the BindTuning App to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
AppCatalog.ReadWrite.All | Delegated | Allows the BindTuning App to read and manage the tenant app catalog in Microsoft SharePoint Online. This permission enables BindTuning to deploy and update SharePoint Framework (SPFx) solutions, manage app packages, and ensure solutions are available across site collections for proper operation. |
ChannelMember.ReadWrite.All | Delegated | Allows the application to read and manage the membership of channels within Microsoft Teams. This permission enables BindTuning to add or update members in channels as needed, ensuring users have the appropriate access to collaborate within Teams environments. |
Directory.ReadWrite.All | Delegated | Allows the application to read and manage directory data in Microsoft Entra ID. This permission enables BindTuning to maintain and update directory-related configurations required for its features to operate correctly across the environment. |
EduAssignments.ReadWrite | Delegated | Allows the application to read and manage education assignments in Microsoft Teams for Education. This permission enables BindTuning to create and update assignment-related data, supporting scenarios that involve educational content and workflows within Teams. |
Group.ReadWrite.All | Delegated | Allows the application to read and manage groups in Microsoft Entra ID and across Microsoft 365. This permission enables BindTuning to create, update, and maintain group configurations, ensuring that collaboration structures such as teams and associated resources function properly. |
InformationProtectionPolicy.Read | Delegated | Allows the application to read information protection policies in Microsoft Purview. This permission enables BindTuning to access policy configurations and align its features with the organization’s information protection setup. |
Notes.ReadWrite.All | Delegated | Allows the application to read and manage notes in Microsoft OneNote. This permission enables BindTuning to create, update, and organize note content as part of its integrated collaboration scenarios. |
RoleManagement.ReadWrite.Directory | Application | Allows the application to read and manage directory roles in Microsoft Entra ID. This permission enables BindTuning to configure and maintain role assignments required for its features to operate correctly within the tenant. |
Sites.ReadWrite.All | Delegated | Allows the application to read and manage all sites and their content in Microsoft SharePoint Online. This permission enables BindTuning to create, update, and manage site content and structure, ensuring that its solutions and features function properly across the tenant. |
TeamMember.ReadWrite.All | Delegated | Allows the application to read and manage team membership in Microsoft Teams. This permission enables BindTuning to add, update, or remove members in Teams, ensuring proper access and collaboration for its features within the environment. |
TeamsAppInstallation.ReadWriteForUser | Delegated | Allows the application to manage the installation of apps for a user in Microsoft Teams. This permission enables BindTuning to install, update, or remove Teams apps on behalf of users to ensure that its solutions are properly available and functional within their Teams environment. |
TeamSettings.ReadWrite.All | Delegated | Allows the application to read and manage settings for all teams in Microsoft Teams. This permission enables BindTuning to configure team settings, ensuring that features and integrations operate consistently across all teams in the tenant. |
TermStore.ReadWrite.All | Delegated | Allows the application to read and manage the term store in Microsoft SharePoint Online. This permission enables BindTuning to create, update, and organize term sets and terms, supporting taxonomy management and consistent metadata usage across sites and content. |
User.ReadWrite.All | Delegated | Allows the application to read and manage user profiles in Microsoft Entra ID. This permission enables BindTuning to update user information and maintain profile-related settings required for its features to operate smoothly within the tenant. |
The following SharePoint permission is also required:
Permission | Type | Why do we need it |
AllSites.FullControl | Delegated | Allows the application to have full control over all sites and their content in Microsoft SharePoint Online. This permission enables BindTuning to fully manage site content, structure, and configuration, ensuring that its solutions and features function correctly across the tenant. |
The following Office 365 Exchange Online is also required:
Permission | Type | Why do we need it |
Exchange.ManageAsApp | Application | Allows the application to manage mailboxes and related settings in Microsoft Exchange Online as an application. This permission enables BindTuning to perform tasks like configuring mailbox settings and managing resources required for its features to operate seamlessly. |
SharePoint Connection
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sign users in (openid) | Delegated | Enables BindTuning to sign you in and scan your environment on your behalf. |
View users' basic profile (profile) | Delegated | Allows the BindTuning App to see your users' basic profile (name, picture, user name). |
View users' email address (email) | Delegated | Allows the BindTuning App to read your users' primary email address. |
Maintain access to data you have given it access to (offline_access) | Delegated | Allows the BindTuning App to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
Sites.Read.All | Delegated | Allows the application to read all sites and their content in Microsoft SharePoint Online. This permission enables BindTuning to access site content for operations like retrieving configurations, scanning environment structure, or supporting its features without making changes to the sites. |
User.Read | Delegated | Allows the application to read basic profile information of the signed-in user in Microsoft Entra ID. This permission enables BindTuning to identify the user and personalize its features without accessing additional user data. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
AllSites.Read | Delegated | Grants the BindTuning App read all site collections that the signed-in user has access to. |
User.Read.All | Delegated | Allows the application to read basic profile information of the signed-in user in Microsoft Entra ID. This permission enables BindTuning to identify the user and personalize its features without accessing additional user data. |
Pulse365
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sign users in (openid) | Delegated | Enables BindTuning to sign you in and scan your environment on your behalf. |
Maintain access to data you have given it access to (offline_access) | Delegated | Allows the BindTuning App to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
Application.Read.All | Application | Allows the application to read all app registrations and their configuration in Microsoft Entra ID. This permission enables BindTuning to access existing application settings and configurations needed to ensure proper integration and operation of its features. |
AuditLog.Read.All | Application | Allows the application to read audit logs in Microsoft 365. This permission enables BindTuning to access activity and event records for monitoring, reporting, or troubleshooting its operations, without making any changes to the logs. |
AuditLogsQuery.Read.All | Application | Allows the application to read and query audit logs in Microsoft 365. This permission enables BindTuning to analyze activity and events for reporting or troubleshooting purposes without modifying any log data. |
Calendars.Read | Application | Allows the application to read user calendars in Microsoft 365. This permission enables BindTuning to view calendar events to support features such as scheduling, reminders, or coordinating activities, without making any changes to the calendar data. |
ChannelMessage.Read.All | Application | Allows the application to read all channel messages in Microsoft Teams. This permission enables BindTuning to access messages to support features such as message scanning, reporting, or workflow automation, without making any changes to the messages. |
ChannelSettings.Read.All | Application | Allows the application to read the settings of all channels in Microsoft Teams. This permission enables BindTuning to access channel configuration details to ensure its features operate correctly, without modifying any channel settings. |
Community.Read.All | Application | Allows the application to read all community information in Yammer/Viva Engage. This permission enables BindTuning to access community data, to support its features without making any changes. |
Directory.Read.All | Application | Allows the application to read directory data in Microsoft Entra ID. This permission enables BindTuning to access user, group, and organizational information needed to support its features, without making any changes to the directory. |
Group-Conversation.Read.All | Application | Allows the application to read all group conversations in Microsoft 365. This permission enables BindTuning to access conversation content for reporting, analysis, or workflow purposes without modifying any messages or data. |
Group.ReadWrite.All | Application | Allows the application to read and manage groups in Microsoft Entra ID and across Microsoft 365. This permission enables BindTuning to create, update, and maintain group configurations, ensuring that collaboration structures such as teams and associated resources function properly. |
Reports.Read.All | Application | Allows the application to read usage and activity reports in Microsoft 365. This permission enables BindTuning to access reporting data to monitor, analyze, and support its features without making any changes to the underlying reports. |
SharePointTenantSettings.Read.All | Application | Allows the application to read tenant-level SharePoint settings in Microsoft SharePoint Online. This permission enables BindTuning to access configuration details necessary to ensure its features operate correctly across the tenant, without modifying any settings. |
Sites.Read.All | Application | Allows the application to read all sites and their content in Microsoft SharePoint Online. This permission enables BindTuning to access site content for operations like retrieving configurations, scanning environment structure, or supporting its features without making changes to the sites. |
Tasks.Read.All | Application | Allows the application to read all tasks in Microsoft 365. This permission enables BindTuning to access task data to support features like task tracking, reporting, or workflow management, without making any changes to the tasks. |
Team.ReadBasic.All | Application | Allows the application to read basic information about all teams in Microsoft Teams. This permission enables BindTuning to access team names, descriptions, and identifiers to support its features without modifying any team settings or memberships. |
TeamMember.Read.All | Application | Allows the application to read membership information of all teams in Microsoft Teams. This permission enables BindTuning to access team member details to support features such as reporting, collaboration insights, or workflow automation, without making any changes to the teams or their memberships. |
TeamSettings.Read.All | Application | Allows the application to read settings for all teams in Microsoft Teams. This permission enables BindTuning to access team configuration details to ensure its features function correctly, without making any changes to the team settings. |
User.Read.All | Application | Allows the application to read basic profile information of the signed-in user in Microsoft Entra ID. This permission enables BindTuning to identify the user and personalize its features without accessing additional user data. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sites.FullControl.All | Application | Allows the application to have full control over all sites and their content in Microsoft SharePoint Online. This permission enables BindTuning to fully manage site content, structure, and configuration, ensuring that its solutions and features operate correctly across the tenant. |
User.Read.All | Application | Allows the application to read basic profile information of the signed-in user in Microsoft Entra ID. This permission enables BindTuning to identify the user and personalize its features without accessing additional user data. |
The following PowerBI permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Tenant.ReadWrite.All | Allows the application to read and manage tenant-level settings in Microsoft 365. This permission enables BindTuning to configure and maintain settings required for its features to operate correctly across the organization. |
The following Viva Engage (Yammer) permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Community.Read.All | Application | Allows the application to read all community information in Yammer/Viva Engage. This permission enables BindTuning to access community data, to support its features without making any changes. |
user_impersonation | Allows the application to act on behalf of the signed-in user in Microsoft 365. This permission enables BindTuning to perform actions and access data as the user, supporting personalized features and workflows without requesting additional administrative privileges. |
Pulse365 Actions
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Directory.Read.All | Application | Allows the application to read directory data in Microsoft Entra ID. This permission enables BindTuning to access user, group, and organizational information needed to support its features, without making any changes to the directory. |
Group.ReadWrite.All | Delegated | Allows the application to read and manage groups in Microsoft Entra ID and across Microsoft 365. This permission enables BindTuning to create, update, and maintain group configurations, ensuring that collaboration structures such as teams and associated resources function properly. |
Group.ReadWrite.All | Application | Allows the application to read and manage groups in Microsoft Entra ID and across Microsoft 365. This permission enables BindTuning to create, update, and maintain group configurations, ensuring that collaboration structures such as teams and associated resources function properly. |
Tasks.ReadWrite.All | Application | Allows the application to read and manage all tasks in Microsoft 365. This permission enables BindTuning to create, update, and organize tasks to support features like task tracking, workflow management, and task-based notifications across the environment. |
User.Read.All | Application | Allows the application to read basic profile information of the signed-in user in Microsoft Entra ID. This permission enables BindTuning to identify the user and personalize its features without accessing additional user data. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sites.FullControl.All | Application | Allows the application to have full control over all sites and their content in Microsoft SharePoint Online. This permission enables BindTuning to fully manage site content, structure, and configuration, ensuring that its solutions and features operate correctly across the tenant. |
The following PowerBI permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Tenant.ReadWrite.All | Allows the application to read and manage tenant-level settings in Microsoft 365. This permission enables BindTuning to configure and maintain settings required for its features to operate correctly across the organization. | |
Workspace.ReadWrite.All | Delegated | Allows the application to read and manage all workspaces in Microsoft Power BI. This permission enables BindTuning to create, update, and organize workspace content and settings, ensuring its features and integrations function correctly across all workspaces. |
What data does BindTuning store?
To interact with Microsoft Graph and manage resources on your behalf, the BindTuning App obtains an access token from the Microsoft identity platform. This token is attached to requests sent to Microsoft Graph.
After a user authenticates, a refresh token is securely stored in Microsoft Azure Key Vault. This refresh token allows BindTuning to request new access tokens when needed (e.g., when you reinstall a product), without requiring you to re-authenticate or re-consent to permissions every time.
Review App permissions in your tenant
You can review and manage the permissions granted to the BindTuning application directly within your Azure Portal.
To do so:
Go to the Azure Portal.
In the search bar, type "Enterprise applications" and select it from the results.
In the list of enterprise applications, search for any BindTuning EA, and select the application.
Under the "Security" section in the left-hand menu, select "Permissions." Here you will see the full list of permissions granted to BindTuning.
Revoking consents
There are two main scenarios where you might need to revoke the permissions granted to BindTuning: for troubleshooting purposes or if you no longer wish to use BindTuning products.
For troubleshooting issues: If you're experiencing problems installing or using a product, it might be due to an issue with your current refresh token. Revoking the consent can often resolve this by prompting a fresh token request upon your next installation attempt.
When no longer using BindTuning: If you decide to stop using BindTuning products, revoking consent ensures that BindTuning no longer has access to your Microsoft 365 tenant data.
For detailed instructions on how to revoke consent, please refer to our article: How to revoke BindTuning tenant-wide consent.