When you connect BindTuning to your Microsoft 365 tenant, understanding the necessary permissions is key. This article details the roles required for initial setup and ongoing operations.
Connecting to your Microsoft 365 tenant
For the first-time connection to your Microsoft 365 tenant, you must use a Global Administrator account.
Why is a Global Administrator required for the initial setup
During this initial connection, you will be prompted to consent to a specific set of permissions that BindTuning requires to function correctly within your Microsoft 365 environment. This consent process can only be performed by a Global Administrator.
Microsoft 365 Global Administrator credentials are only required during this initial connection. Subsequent logins or daily operations do not necessitate Global Administrator privileges.
Future permission prompts
Occasionally, when installing a newer version of our products, you might encounter additional permission prompts. This occurs if new functionalities have been introduced that require updated or additional permissions to ensure BindTuning products operate as expected.
BindTuning App Permissions
When you connect BindTuning to your Microsoft 365 tenant, the necessary permissions are automatically granted through your consent during the initial connection process.
BindTuning operates as an Enterprise Application within your Azure Portal. This standard setup allows us to securely interact with Microsoft's APIs and leverage modern authentication features, such as Multi-Factor Authentication. We use the Microsoft Graph API to perform these operations.
BindTuning requires two types of permissions to function correctly:
Application Permissions:
what we can do independently, without a signed-in user.
Delegated Permissions:
what we can do on behalf of the signed-in user.
BindTuning Provisioning
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sign users in (openid) | Delegated | Enables BindTuning to sign you in and scan your environment on your behalf. |
View users' basic profile (profile) | Delegated | Allows the BindTuning App to see your users' basic profile (name, picture, user name). |
View users' email address (email) | Delegated | Allows the BindTuning App to read your users' primary email address. |
Maintain access to data you have given it access to (offline_access) | Delegated | Allows the BindTuning App to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
Read items in all site collections (Sites.Read.All) | Delegated | Allows the BindTuning App to read documents and list items in all site collections on behalf of the signed-in user. |
Edit or delete items in all site collections (Sites.ReadWrite.All) | Delegated | Allows the BindTuning App to edit or delete documents and list items in all site collections on behalf of the signed-in user. |
Read and write to all app catalogs (AppCatalog.ReadWrite.All) | Delegated | Allows the BindTuning App to create, read, update, and delete apps in the app catalogs. |
Read and write all groups (Group.ReadWrite.All) | Delegated | Allows the BindTuning App to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. |
Read and write all users' full profiles (User.ReadWrite.All) | Delegated | Allows the BindTuning App to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Have full control of all site collections (AllSites.FullControl) | Delegated | Grants the BindTuning App full control over all site collections in SharePoint Online, allowing it to read, create, update, and delete content and configurations across the entire tenant. |
BindTuning Provisioning (EDU)
This enterprise application is specific to Office 365 Education tenants
In Education tenants, we also require the following Microsoft Graph permissions:
Permission | Type | Why do we need it |
Add and remove members from all channels (ChannelMember.ReadWrite.All) | Application | Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member's role - e.g from owner to non-owner. |
Read and write the organization's roster (EduRoster.ReadWrite.All) | Application | Allows the BindTuning App to read and write the structure of schools and classes in the organization's roster, and education-specific information about all users to be read and written. |
Read and write all groups (Group.ReadWrite.All) | Application | Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. |
Add and remove members from all teams (TeamMember.ReadWrite.All) | Application | Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. |
Read and write all users' full profiles (User.ReadWrite.All) | Application | Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
BindTuning Provisioning (Compliance Administration)
This enterprise application (optional) is responsible for retrieving Retention Labels for SharePoint sites, from the Microsoft Purview Compliance Center, enabling automated classification and governance of SharePoint content.
The following Microsoft Graph permissions are required for this enterprise application:
Permission | Type | Why do we need it |
Read and write all directory RBAC settings (RoleManagement.ReadWrite.Directory) | Application | Allows the BindTuning App to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes managing and read directory role membership. |
The following Office 365 Exchange Online is also required:
Permission | Type | Why do we need it |
Manage Exchange As Application (Exchange.ManageAsApp) | Application | Allows the BindTuning App the ability to manage Exchange Online mailboxes and settings on behalf of the organization, allowing background services to perform operations without user interaction. |
BindTuning SharePoint Connection
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sign users in (openid) | Delegated | Enables BindTuning to sign you in and scan your environment on your behalf. |
View users' basic profile (profile) | Delegated | Allows the BindTuning App to see your users' basic profile (name, picture, user name). |
View users' email address (email) | Delegated | Allows the BindTuning App to read your users' primary email address. |
Maintain access to data you have given it access to (offline_access) | Delegated | Allows the BindTuning App to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
Read items in all site collections (Sites.Read.All) | Delegated | Allows the BindTuning App to read documents and list items in all site collections on behalf of the signed-in user. |
Read and write all users' full profiles (User.Read) | Delegated | Allows the BindTuning App to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Have full control of all site collections (AllSites.Read) | Delegated | Grants the BindTuning App read all site collections that the signed-in user has access to. |
Read user profiles (User.Read.All) | Delegated | Allows the BindTuning App to read the full profiles of all users in the organization on behalf of the signed-in user. |
BindTuning Pulse365
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Read all applications (Application.Read.All) | Application | Allows reading all applications in the tenant, necessary to identify or reference apps for configuration or integration validation. |
Read audit logs (AuditLog.Read.All) | Application | Enables reading audit logs across Microsoft 365, required for tracking activities. |
Query audit logs (AuditLogsQuery.Read.All) | Application | Used to query audit logs via Microsoft Graph, essential for fetching specific audit data. |
Read Teams messages (ChannelMessage.Read.All) | Application | Provides access to read Teams channel messages, needed for tracking activities. |
Read Teams channel settings (ChannelSettings.Read.All) | Application | Allows reading Teams channel settings, necessary to audit channel configurations. |
Read communities (Community.Read.All) | Application | Enables reading community information (Yammer/Viva Engage), for reporting on communities. |
Read all groups (Group.Read.All) | Application | Grants read access to all Microsoft 365 Groups, required to list, associate, or sync teams and sites tied to groups. |
Read group settings (GroupSettings.Read.All) | Application | Lets the app read important group-level settings for reporting. |
Read group conversations (Group-Conversation.Read.All) | Application | Allows reading group conversations, needed to capture activities. |
Read all tasks (Tasks.Read.All) | Application | Enables reading all Planner tasks, required reporting activities. |
Read basic Teams info (Team.ReadBasic.All) | Application | Allows reading basic information about all Teams, necessary for listing and managing Teams. |
Read Teams members (TeamMember.Read.All) | Application | Grants permission to read team membership details, used to synchronize or audit members. |
Read Teams settings (TeamSettings.Read.All) | Application | Allows reading of Teams settings, critical validating configurations. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Read items in all site collections (Sites.Read.All) | Application | Allows the BindTuning App to read documents and list items in all site collections. |
Full control of all SharePoint site collections (Sites.FullControl.All) | Application | Allows the BindTuning App to have full control of all SharePoint site collections |
Read user profiles (User.Read.All) | Application | Allows the BindTuning App to read the full set of profile properties, reports, and managers of other users in your organization |
The following PowerBI permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Read and write all content in tenant (Tenant.ReadWrite.All) | Delegated | Provides the ability to read and modify tenant-level settings, required for automation API management configuration. |
The following Viva Engage (Yammer) permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Act on behalf of users (user_impersonation) | Delegated | Allows the application to act on behalf of a signed-in user, enabling operations to be executed using that user’s permissions and context. |
BindTuning Intranet
BindTuning Intranet enterprise application was previously called BindTuning Analyzer.
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Read all applications (Application.Read.All) | Application | Allows the BindTuning App to read applications and service principals on behalf of the signed-in user. |
Allows the app to read and query your audit log activities, without a signed-in user (AuditLog.Read.All) | Application | Allows the BindTuning App to read and query your audit log activities, on behalf of the signed-in user. |
Read all groups (Group.Read.All) | Application | Grants read access to all Microsoft 365 Groups, required to list, associate, or sync teams and sites tied to groups. |
Read group settings (GroupSettings.Read.All) | Application | Lets the app read important group-level settings for reporting. |
Read items in all site collections (Sites.Read.All) | Application | Allows the BindTuning App to read list items in all site collections. |
Get a list of all teams (Team.ReadBasic.All) | Application | Allow BindTuning App to read the names and descriptions of teams. |
Read all users' full profiles (User.Read.All) | Application | Allows the BindTuning App to read the full set of profile properties, reports, and managers of other users in your organization. |
The following SharePoint permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Read items in all site collections (Sites.Read.All) | Application | Allows the BindTuning App to read documents and list items in all site collections. |
Read user profiles (User.Read.All) | Application | Allows the BindTuning App to read the full set of profile properties, reports, and managers of other users in your organization |
BindTuning.com
The following Microsoft Graph permissions are required for the BindTuning Enterprise Application:
Permission | Type | Why do we need it |
Sign you in and read your profile (User.Read) | Delegated | Allows the BindTuning App to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
Sign users in (openid) | Delegated | Enables BindTuning to sign you in and scan your environment on your behalf. |
View users' basic profile (profile) | Delegated | Allows the BindTuning App to see your users' basic profile (name, picture, user name). |
Maintain access to data you have given it access to (offline_access) | Delegated | Allows the BindTuning App to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
What data does BindTuning store?
To interact with Microsoft Graph and manage resources on your behalf, the BindTuning App obtains an access token from the Microsoft identity platform. This token is attached to requests sent to Microsoft Graph.
After a user authenticates, a refresh token is securely stored in Microsoft Azure Key Vault. This refresh token allows BindTuning to request new access tokens when needed (e.g., when you reinstall a product), without requiring you to re-authenticate or re-consent to permissions every time.
Review App permissions in your tenant
You can review and manage the permissions granted to the BindTuning application directly within your Azure Portal.
To do so:
Go to the Azure Portal.
In the search bar, type "Enterprise applications" and select it from the results.
In the list of enterprise applications, search for "BindTuning Provisioning" (or any other BindTuning EA), and select the application.
Under the "Security" section in the left-hand menu, select "Permissions." Here you will see the full list of permissions granted to BindTuning.
Revoking consents
There are two main scenarios where you might need to revoke the permissions granted to BindTuning: for troubleshooting purposes or if you no longer wish to use BindTuning products.
For troubleshooting issues: If you're experiencing problems installing or using a product, it might be due to an issue with your current refresh token. Revoking the consent can often resolve this by prompting a fresh token request upon your next installation attempt.
When no longer using BindTuning: If you decide to stop using BindTuning products, revoking consent ensures that BindTuning no longer has access to your Microsoft 365 tenant data.
For detailed instructions on how to revoke consent, please refer to our article: How to revoke BindTuning tenant-wide consent.