SimpleVoIP Connector performs certain limited tasks with the Microsoft Global Administrators' consent. These allow for automated provisioning via PowerShell of Direct Routing, User Calling activation and Teams Application setup in Microsoft.
The initial request when the Microsoft Enterprise Global Administrator is asked for permission looks like this:
SimpleVoIP requires the Microsoft Global Admin to grant the Permissions that are shown above and explained below. With the Consent selected delegated authorization can be granted to other Microsoft users in the tenant. Specifically, to users that have the role of Teams Service Admin and Skype for Business Admin.
Permission flow is as follows:
- During Enterprise signup Global Admin credentials are required for the first sign in to the EPP (Registration - pictured above).
- The EPP will ask for the following permissions that require Microsoft Global Admin consent before they can be used by non-Global Admin Users:
Permissions |
Purpose |
---|---|
Access Microsoft Teams and Skype for Business data as the signed in user | Allows the app to have the same access to information in the directory as the signed-in user. |
Read and write directory data | Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. |
Access the directory as you | Allows the app to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. |
Manage your installed Teams apps | Allow the app to install and delete the Teams Application (Azure Enterprise Application) you build to extend the PBX into Teams. |
Read organization information | Allows the app to read the organization and related resources, on behalf of the signed-in user. related resources include things like subscribed SKUs and tenant branding information |
Read and write all users' full profiles | Allows the app to read and write the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. |
Maintain access to data you have given it access to | Allows the permission to access data to persist beyond the current login session. |
Full access to the Skype Remote Powershell | Allow the application full access to the Skype Remote Powershell Azure services to provision Direct Routing and Teams Users on behalf of the signed-in user. |
After this initial set of permissions is granted the Microsoft Global Admin will be prompted to log in again. A second set of application Permissions will appear:
Read all users' full profiles | Allows the app to read user profiles without a signed in user. |
Sign in and read user profile | Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
Once you grant these Permissions you will be logged into the SimpleVoIP Connector portal.
Debug Call Consent
Additional permission will be requested from the Enterprise Admin for the SimpleVoIP Connector CDR Application as soon as the user clicks "Debug Call" from the dashboard.
Read all call records | Allows the app to read call records for all calls and online meetings without a signed-in user. |
Read PSTN and direct routing call log data | Allows the app to read all PSTN and direct routing call log data without a signed-in user. |
In the SimpleVoIP Connector portal there are certain tasks that can be performed by the Microsoft Global Admin only and certain that can be performed by the delegated Teams Service Admin/Skype for Business Admin. The table below demonstrates which credentials have what authority:
Microsoft Global Admin | Microsoft Teams Service Admin & Skype Admin (both) | |
Initial Enterprise Reg. | YES | NO |
Setup Direct Routing | YES | NO |
Setup/Manage PBX | YES | YES |
Setup/Manage TM Users | YES | YES |
Add/Delete Teams App | YES | NO |
Setup/Manage End User Portal | YES | YES |
Setup/Manage Feature Codes | YES | YES |
- Microsoft Global Admin must consent to the permissions listed at the top of this article to allow SimpleVoIP to execute PowerShell commands on the organization’s behalf.
In case Global Admin does not consent on the organization’s behalf, subsequent logins will fail for non-Global Admin Users.
Once Microsoft Global Admin has granted consent logins by Teams Service Admin/Skype for Business Admin User to EPP will not be required to consent to further permissions.