Microsoft Entra Permissions and Consent Explained

Microsoft Entra Permissions and Consent Explained

Microsoft Entra Authentication

YakChat leverages the simplicity, security and control provided by Microsoft Entra ID (Azure Active Directory) . A Microsoft Entra ID user profile is required to access YakChat so that the user is authenticated using the organizations sign-in and security policies and Microsoft Azure Enterprise Application permissions are used to control and consent to the permissions required for YakChat to be connected to your Azure tenant.  This article provides an explanation of each of the consent required to access and use YakChat in your Microsoft environment.

YakChat Messaging App

Microsoft 365 consent is required for a user to sign in to the YakChat messaging app which can be provided by the user without administrative permissions.  A user cannot provide consent to access to Microsoft 365 contacts (Outlook, Sharepoint and Active Directory). You will need your Microsoft Azure Global Administrator to provide consent to enable access to Microsoft 365 contacts. 

A Microsoft consent window will be displayed the first time you sign-in to YakChat unless your Microsoft Administrator has granted consent on your behalf.  An explanation of each part of the scope that the user needs to approve is provided in the table below.  
When adding YakChat using the Microsoft Teams Admin Portal, the Administrator does not need to Grant Consent for users to be able to access the messaging app.  However, if consent is not granted, each user will need to provide their user consent when the first sign in to the YakChat messaging app. 

Type

Azure Claim

Microsoft Consent Window

Description

Reason

 

User

openid*

Sign you in and read your profile

Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information.

Enables user to sign in using SSO.

 

User

User.Read*

Sign you in and read your profile

Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users

Required to enable user to sign in using SSO if User.Read has not been not delegated by an admin.

 

User

user_Impersonation

Not displayed

Allows access to the YakChat API

Provides permission for the the YakChat app to access the YakChat API

 

Application

TeamsActivity.Send

Send a teamwork activity to any user

Allows the app to create new notifications in users' teamwork activity feeds on behalf of the signed in user.

Enables the YakChat app to send Teams Activity notifications if selected

 


A Microsoft Administrator can grant consent on behalf of their organization which eliminates the need for each user to provide consent when they first use the YakChat messaging app (the permission is delegated) and allow the user to access the Microsoft 365 contacts that they have permission to access which is controlled by their Microsoft user profile. 

Permission can be granted when the Administrator first signs into the YakChat messaging app or through the Microsoft Teams or Azure Administration Portal.  An explanation of each part of the scope that the user needs to approve is provided in the table below.  


Type

Azure Claim

Microsoft Consent Window

Description

Reason

 

Delegated

user_Impersonation*

Not displayed

Allows access to the YakChat API

Provides permission for the the YakChat app to access the YakChat API

 

Application

TeamsActivity.Send

Send a teamwork activity to any user

Allows the app to create new notifications in users' teamwork activity feeds on behalf of the signed in user.

Enables the YakChat app to send Teams Activity notifications if selected

 

Delegated

Directory.Read.All

Read directory data

Allows the app to read data in your organization's directory, such as users, groups and apps.

Only required if access to Active Directory contacts is required.

 

Delegated

User.Read

Sign in and read user profile

Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

Enables users to sign in to the app without individually providing their permission (User.Read)

 

Delegated

Contacts.Read

Read user contacts

Allows the app to read the user’s contacts.

Only required to access Outlook contacts.

 



YakChat Admin Portal

Users assigned a YakChat Admin role can access the YakChat Admin Portal.  The Admin portal uses Microsoft Authentication and therefore requires user consent to be provided when signing into the Admin Portal for the first time.  An explanation of each part of the scope that the user needs to approve is provided in the table below.  

Type

Azure Claim

Microsoft Consent Window

Description

Reason

 

User

User.Read*

Sign you in and read user profile

Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

To enable the user to sign in.  When a Microsoft Administrator provides consent then this will be delegated so that permission is not requested when other users sign in."

 


Text 365 Mobile App

A user cannot provide consent because the Text365 app accesses Microsoft 365 contacts by default.  A Microsoft Administrator needs grant consent to access the YakChat Text365 mobile app on behalf of their organization.  The consent required is the same as the YakChat Messaging App with the addition of offline_access.  An explanation of each part of the scope that the user needs to approve is provided in the table below.  


Type

Azure Claim

Microsoft Consent Window

Description

Reason

 

Delegated

user_Impersonation*

Not displayed

Allows access to the YakChat API

Provides permission for the the YakChat app to access the YakChat API.

 

Application

TeamsActivity.Send

Send a teamwork activity to any user

Allows the app to create new notifications in users' teamwork activity feeds on behalf of the signed in user.

Enables the YakChat app to send Teams Activity notifications if selected.

 

Delegated

Directory.Read.All

Read directory data

Allows the app to read data in your organization's directory, such as users, groups and apps.

Only required if access to Active Directory contacts is required.

 

Delegated

User.Read

Sign in and read user profile

Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

Enables users to sign in to the app without individually providing their permission (User.Read).

 

Delegated

Contacts.Read

Read user contacts

Allows the app to read the user’s contacts.

Only required to access Outlook contacts.

 

 Delegated

Offline_access

Maintain access to date you have given it access to

 Allows the app to read and update user data, even when they are not currently using the app.

Enables the mobile app to maintain access while not in focus.