| Table of Contents | ||||
|---|---|---|---|---|
|
Introduction
SphereShield requires you to register an app in Azure AD.
Please note the application needs to be registered by your Global Administrator
The registration process is done described here
App Options
There are 3 different types of Standard App
Compliance and Channel management - Sign in, read and write content. Required for compliance deployment (Ethical Wall, DLP) and channel management by API.
Sign in And Groups - Sign in and read groups . Required for Portal authentication For Webex/Zoom/Slack and for MS Teams Proxy.
3. Sign in and eDiscovery - Sign in and read content for eDiscovery. Required for MS Teams eDiscovery by API.
Below are the permissions needed for each App
Compliance and Channel management Permissions
This app would like to:
...
Sign in and read user profile
...
Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs.
...
Sign in And Groups Permissions
This app would like to:
...
Sign in and read user profile
Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in usersCreate tab in Microsoft Teams.
Allows the app to create a new tab like in the case of Plenner
TeamsTab.Create
...
Tasks.ReadWrite.All
Allows the app to read/write all of the planner info
...
Read and write user chat messages
Allows an app to read and write 1 on 1 or group chats threads, on behalf of the signed-in user.
This is a permission requested to access your data in AGAT SoftwareAgatDevelopment.
...
Read all groupsCreate chats
Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a create chats on behalf of the signed-in user.
This is a permission requested to access your data in AGAT Software.
...
Read all users' full profiles
Allows the app to read user profiles without a signed in userAgatDevelopment.
Sign in And Groups Permissions
This app would like to:
...
Sign in and read user profile
Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
This is a permission requested to access your data in AGAT Software.
If you accept, this app will get access to the specified resources for all users in your organization. No one else will be prompted to review these permissions.
Accepting these permissions means that you allow this app to use your data as specified in their terms of service and privacy statement. You can change these permissions at https://myapps.microsoft.com . Show details
Sign in and eDiscovery Permissions
This app would like to:
...
Sign in and read user profile
Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
This is a permission requested to access your data in AGAT Software.
...
Read names and members of all chat threads
...
Read all groups
Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.
This is a permission requested to access your data in AGAT Software.
...
Read all users' full profiles
Allows the app to read user profiles without a signed in user.
This is a permission requested to access your data in AGAT Software.
If you accept, this app will get access to the specified resources for all users in your organization. No one else will be prompted to review these permissions.
Accepting these permissions means that you allow this app to use your data as specified in their terms of service and privacy statement. You can change these permissions at https://myapps.microsoft.com . Show details
Sign in and eDiscovery Permissions
This app would like to:
...
Sign in and read user profile
Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
This is a permission requested to access your data in AGAT Software.
...
Read names and write calendars in all mailboxesAllows the app to create, read, update, and delete events of all calendars members of all chat threads
Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user.
...
Accepting these permissions means that you allow this app to use your data as specified in their terms of service and privacy statement. You can change these permissions at https://myapps.microsoft.com . Show details
Permissions for chat and file control only
If all that is required is to enforce Ethical Wall and DLP policies on chat and files we can create a custom app with limited permissions.
For chat & file control we will only need the flowing permissions (and a separate app will be step up like this):
...
Permissions for file control only
If all that is required is to enforce Ethical Wall and DLP policies on files we can create a custom app with limited permissions.
For file control we will only need the flowing permissions (and a separate app will be step up like this):
...
the flowing permissions (and a separate app will be step up like this):
...
Permissions for eDiscovery files and chats
If all that is required is to save files and chats un eDiscovery
For this we will only need the flowing permissions (and a separate app will be step up like this):
...
AGI Deployment options:
Application-Level (Tenant) Deployments
We offer two application-level deployments. Application-level deployments are tenant-wide and apply to every user in the tenant unless configured otherwise after the product is installed.
AGAT CASB API - AGI for Meetings
This application retrieves meeting recordings and transcriptions from users' OneDrive drives.
This application does not apply to chat and channel messages.
API/Permissions Name | Type | Dsecription | Admin Consent required | Explanation |
|---|---|---|---|---|
Microsoft Graph | ||||
CallRecords.Read.All | Application | Read all call records | Yes | Allows the app to read call records for all calls and online meetings without a signed-in user. |
TeamsTab.Read.All | Application | Read tabs in Microsoft Teams. | Yes | Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. |
TeamsTab.ReadWrite.All | Application | Read and write tabs in Microsoft Teams. | Yes | Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. |
TeamsTab.ReadWriteForChat.All | Application | Allow the Teams app to manage all tabs for all chats | Yes | Allows a Teams app to read, install, upgrade, and uninstall all tabs for any chat, without a signed-in user. |
TeamsTab.ReadWriteSelfForChat.All | Application | Allow the Teams app to manage only its own tabs for all chats | Yes | Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any chat, without a signed-in user. |
User.Read | Delegated | Sign in and read user profile | No | Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. |
User.Read.All | Application | Read all users' full profiles | Yes | Allows the app to read user profiles without a signed in user. |
SharePoint | ||||
Sites.Read.All | Application | Read items in all site collections | Yes | Allows the app to read documents and list items in all site collections without a signed in user. |
AGAT CASB API - AGI for Meetings + Chat
This application retrieves meeting recordings and transcriptions from users' OneDrive drives and chat and channel messages.
It can also send notifications when it has user credentials and create an insights tab in meeting chats.
API/Permissions Name | Type | Dsecription | Admin Consent required | Explanation |
|---|---|---|---|---|
Microsoft Graph | ||||
CallRecords.Read.All | Application | Read all call records | Yes | Allows the app to read call records for all calls and online meetings without a signed-in user. |
ChannelMessage.Read.All | Application | Read all channel messages | Yes | Allows the app to read all channel messages in Microsoft Teams |
Chat.Create | Application | Create chats | Yes | Allows the app to create chats without a signed-in user. |
Chat.ReadBasic.All | Application | Read names and members of all chat threads | Yes | Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user. |
Chat.ReadWrite.All | Application | Read and write all chat messages | Yes | Allows an app to read and write all chat messages in Microsoft Teams, without a signed-in user. |
ChatMessage.Read.All | Application | Read all chat messages | Yes | Allows the app to read all one-to-one and group chats messages in Microsoft Teams, without a signed-in user. |
Group.Read.All | Application | Read all groups | Yes | Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user. |
TeamsTab.Read.All | Application | Read tabs in Microsoft Teams. | Yes | Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. |
TeamsTab.ReadWrite.All | Application | Read and write tabs in Microsoft Teams. | Yes | Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. |
TeamsTab.ReadWriteForChat.All | Application | Allow the Teams app to manage all tabs for all chats | Yes | Allows a Teams app to read, install, upgrade, and uninstall all tabs for any chat, without a signed-in user. |
TeamsTab.ReadWriteSelfForChat.All | Application | Allow the Teams app to manage only its own tabs for all chats | Yes | Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any chat, without a signed-in user. |
User.Read | Delegated | Sign in and read user profile | No | Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. |
User.Read.All | Application | Read all users' full profiles | Yes | Allows the app to read user profiles without a signed in user. |
SharePoint | ||||
Sites.Read.All | Application | Read items in all site collections | Yes | Allows the app to read documents and list items in all site collections without a signed in user. |
Protocol used by Azure app for authentication
The app is a native Microsoft deployment and uses OAuth2 as documented here:
https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
Option for Private Customer App
In the event that a customer is unhappy with the permissions above, AGAT offers an option for the customer to create the SphereShield app in their own tenant. This means that AGAT won’t have any permissions to the customer tenant, but the customer will be the owner of the app with the permissions required.
...
Manually creating the Azure AD Application Registration required for API connection