Approve Microsoft 365 access

Why is an approval needed?

Using our app requires delegated access to Microsoft 365, via the Microsoft Graph API. We use the most common form of delegated authentication flow, the authentication code flow via an Enterprise application. In many cases, access to Microsoft Graph resources is restricted by default. If you can’t login from Jira or Microsoft Teams, your Microsoft 365 or Azure administrator might need to consent to the app for you.

In case you are interested in the exact permissions and why we need them, please check out this dedicated permissions article.

Technical ids & scopes

Below you can find a list of necessary client ids and scopes. You only need to allow the Enterprise apps in case the feature should be used. Depending on the feature, there are also optional scopes which enhance the basic functionality, but are considered optional by us and can be omitted if not required - the app will gracefully handle the missing scopes.

The following base scopes are required for all features:

email offline_access profile openid

App feature

Enterprise app client id

Scopes

App feature

Enterprise app client id

Scopes

Email

e7185a25-9df9-4d05-b779-76b04bf46424

 

 

Mail.ReadWrite.Shared Mail.Send.Shared People.Read User.Read User.ReadBasic.All

Approve for all users

Meetings

e7185a25-9df9-4d05-b779-76b04bf46424

 

Calendars.ReadWrite Calendars.ReadWrite.Shared MailboxSettings.Read OnlineMeetings.ReadWrite People.Read User.Read User.ReadBasic.All

Approve for all users

optional

Necessary for certain features to work, e.g. searching for rooms

 

Approve for all users (incl. optional)

Calendar

e7185a25-9df9-4d05-b779-76b04bf46424

 

Approve for all users

optional

Necessary for certain features to work, e.g. searching for rooms & embedding Teams channel calendars

Approve for all users

To Do

32d752a1-8945-4600-97c9-73ed32c3627a

Approve for all users

Teams

89d5ca9f-d63b-4885-bd30-6e7433c1540c

Approve for all users

Teams JSM portal

a47ed889-74d6-4acf-b5c8-b1172696eb70

Approve for all users

Teams JSM portal notifications

89d5ca9f-d63b-4885-bd30-6e7433c1540c

Since the portal link is an individual link we can’t provide a direct link to approve for all users. Feel free to see our docs to get the direct link: Approve for all users

Approving access for all users for our apps

To approve access for all users for the relevant apps, please send your Office 365 administrator the following links or use the links above. In this case your admin has to approve for every app separately.

App feature

Approval link

App feature

Approval link

Email

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=e7185a25-9df9-4d05-b779-76b04bf46424&state=no&redirect_uri=https%3a%2f%2fatlassianconnect.yasoon.com%2fauth-success.html&scope=email%20offline_access%20profile%20openid%20Mail.ReadWrite.Shared%20Mail.Send.Shared%20People.Read%20User.Read%20User.ReadBasic.All

Meetings

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=e7185a25-9df9-4d05-b779-76b04bf46424&state=no&redirect_uri=https%3A%2F%2Fatlassianconnect.yasoon.com%2Fauth-success.html&scope=email offline_access profile openid Calendars.ReadWrite Calendars.ReadWrite.Shared MailboxSettings.Read OnlineMeetings.ReadWrite People.Read User.Read User.ReadBasic.All

With room support

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=e7185a25-9df9-4d05-b779-76b04bf46424&state=no&redirect_uri=https%3A%2F%2Fatlassianconnect.yasoon.com%2Fauth-success.html&scope=email offline_access profile openid Calendars.ReadWrite Calendars.ReadWrite.Shared MailboxSettings.Read OnlineMeetings.ReadWrite People.Read User.Read User.ReadBasic.All Place.Read.All

Calendar

Only mandatory scopes:

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=e7185a25-9df9-4d05-b779-76b04bf46424&state=no&redirect_uri=https%3A%2F%2Fatlassianconnect.yasoon.com%2Fauth-success.html&scope=email offline_access profile openid Calendars.ReadWrite Calendars.ReadWrite.Shared MailboxSettings.Read OnlineMeetings.ReadWrite People.Read User.Read User.ReadBasic.All

With Teams channel calendar, group & room support

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=e7185a25-9df9-4d05-b779-76b04bf46424&state=no&redirect_uri=https%3A%2F%2Fatlassianconnect.yasoon.com%2Fauth-success.html&scope=email offline_access profile openid Calendars.ReadWrite Calendars.ReadWrite.Shared MailboxSettings.Read OnlineMeetings.ReadWrite People.Read User.Read User.ReadBasic.All Place.Read.All Group.ReadWrite.All Team.ReadBasic.All

To Do

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=32d752a1-8945-4600-97c9-73ed32c3627a&state=no&redirect_uri=https%3a%2f%2fatlassianconnect.yasoon.com%2fauth-success.html&scope=email%20offline_access%20profile%20openid%20Tasks.Read%20Tasks.ReadWrite%20Tasks.ReadWrite.Shared%20User.Read

Teams

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=89d5ca9f-d63b-4885-bd30-6e7433c1540c&state=no&redirect_uri=https%3a%2f%2fatlassianconnect.yasoon.com%2fauth-success.html&scope=email%20offline_access%20profile%20openid%20Channel.ReadBasic.All%20ChannelMessage.Send%20Chat.ReadWrite%20Team.ReadBasic.All%20User.Read%20User.ReadBasic.All

Teams JSM portal

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=a47ed889-74d6-4acf-b5c8-b1172696eb70&state=no&redirect_uri=https%3a%2f%2fatlassianconnect.yasoon.com%2fauth-success.html&scope=email%20offline_access%20profile%20openid%20User.Read

Your admin will see the following screen, where the permissions can be confirmed.

Please note, that despite what the screen says in the subtext, we won’t get access to all user resources automatically after approving this. Before we can get access to any Office data, the users will need to log in with their own account as well from Jira.

Approving access for a limited set of users

In case you only want to approve the access for a limited set of users, e.g. you already have a dedicated AzureAD group for Jira users, you’ll need to do this via a Powershell script. The easiest way is to create a new .ps1 file on your computer and paste the following code. Make sure to adjust the client ids and scopes according to the table above.

Creating the Enterprise application only for review purposes

In case you want to inspect the app first before approving is, you can just add the service principal to AzureAD.

Do do this, you’ll need to use Powershell to create it manually. For the “AppId” parameter, use one of the client ids listed in the table above, in this case the one for Teams.

Afterwards, you should be able to find the enterprise app in the UI linked above, where you can restrict the application to certain users or groups, or, using the “Properties” page, allow users to self-approve the app:

References

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent