Access RequirementsIdentity and Access Management Systems Access

Microsoft 365 Access Requirements

View as Markdown

Microsoft 365 Access Requirements

You will need an Azure app (Microsoft Entra ID) to assign these permissions. How you create one depends on your deployment method:

MethodUse WhenLimitationsGuide
App StoreUS commercial tenant with a single Moveworks deployment. If you plan to add additional environments (e.g. a sandbox) in the future, use the Non-App Store method instead — the App Store can only be used once per tenant.US commercial data centers only. One bot per Microsoft tenant.AI Assistant in Microsoft 365 (MS Teams + MS Graph) Access Requirements
Non-App Store (Custom App)Multiple Moveworks deployments on one tenant, non-US regions, or GCC HighRequires manual app registration and more configuration stepsAI Assistant in Microsoft Teams (Non-App Store) Setup Guide
App Registration OnlyConfiguring Microsoft Graph access for Groups, InTune, or SharePoint — without a Teams bot deploymentNot for Teams bot setupCreating a Microsoft App Registration for Moveworks

All permissions on this page must be configured as Application Permissions.

To Identify and Talk to Users (mandatory when deploying Microsoft Teams Bot)

Moveworks creates an offline index of all users so that we can message end users proactively. We use the Microsoft Graph API to get this information. If you are using Microsoft Teams as the chat platform, the same app ID can be used for all the permissions listed below.

Microsoft Graph API Scopes for Teams

  • User.Read.All — Allows Moveworks to read all user attributes such as email and Microsoft Entra ID
  • TeamsAppInstallation.ReadWriteSelfForUser.All — Allows Moveworks to install itself for all users

To Manage Groups (mandatory when deploying Access Groups functionality)

If you use Microsoft 365 to manage email groups, Moveworks creates an offline index of all groups using the Microsoft Graph API so that all “Add users to distribution list” operations are done instantaneously. If a user creates a distribution list in the bot, Moveworks creates that list and immediately appends it to the day’s index, so users can add members to it right away.

Microsoft Graph API Scopes for Groups

  • Group.ReadWrite.All — Allows Moveworks to add users to existing Microsoft 365 groups and create new groups
  • User.Read.All — Allows Moveworks to read all user attributes such as email and Microsoft Entra ID

To Manage Devices and Apps (optional)

If you have an InTune company portal where users can access endpoints to push applications to their devices, Moveworks can serve these links.

Microsoft Graph API Scopes for InTune

  • DeviceManagementApps.Read.All — Allows Moveworks to read application data for InTune apps

To Read SharePoint Online Sites (optional)

  • Sites.Read.All — Allows Moveworks to read pages from SharePoint Online sites
  • Sites.Selected — Allows Moveworks to read pages from selected SharePoint Online sites. See here for more details on how to grant access using Sites.Selected.