The ZIRO Platform uses a combination of Microsoft’s Graph API and Teams Powershell Module to perform actions within the Microsoft Tenant using the principle of least privilege.
Below are a list of uses cases and least privileges required to perform those actions via the Graph API.
Microsoft Teams Communications Administrator Role - Required
The ZIRO Platform requires the Teams Communications Administrator Role to programmatically access your Microsoft Teams through the Microsoft Teams Powershell Module (TPM).
Transactions such as:
- Assigning Teams Policies
- Assigning Phone Number / LineURI
- Building Custom Reports about Teams Configurations
- Managing Devices
are only available through Powershell and are not yet available through Microsoft’s Graph API.
IMPORTANT Microsoft Teams Powershell Module only supports Entra built-in roles. Microsoft does not support custom roles or Graph API roles.
IMPORTANT Microsoft Teams Powershell Module only supports See Setting up App Registration for ZPM in Entra ID on how to assign the Role to your App Registration
Implicit Microsoft Graph Access via the Teams Communications Administrator Role
Assigning the Teams Communications Administrator role to a user or service principal does not explicitly grant Microsoft Graph permissions (such as Group.Read.All or Directory.Read.All). Instead, the role provides directory-level RBAC privileges within Microsoft Entra ID, which Microsoft Graph recognizes during authorization checks.
As a result, certain Graph endpoints—such as listing users or groups—may succeed even though the application does not show those Graph permissions in its API permission list. This occurs because directory roles can implicitly allow operations on directory objects when Graph evaluates the caller’s Entra role assignments.
Note: Because this access is implicit and tied to directory role privileges rather than explicit API consent, our application still requests the specific Microsoft Graph permissions required for its functionality. This ensures that required capabilities are explicitly granted, transparent, and least-privileged, rather than relying on implicit access derived from directory role assignments.
Graph API Roles
In addition to the Teams Communications Administrator Role, the ZIRO Platform requires specific graph roles to perform certain actions against your Microsoft Tenant. Some are required, while others are optional, depending on the features you want to enable in the ZIRO Platform.
Graph permissions need to be assigned as Application Permissions (Not Delegated)
Why are Application Permissions Required?
- ZPM is an enterprise application that runs numerous background tasks and jobs that cannot be scoped to a single user with delegate access.
- ZPM offers the ability to integrate with third-party tools (e.g., ServiceNow) using RESTful API integrations and 0-touch automation in cases where interactive browser-based authentication using delegate access is not feasible.
- ZPM requires all users to sign in using Single Sign-On (SSO), where Two-Factor Authentication (2FA) is highly recommended. The application authorizes users based on their security group or direct role assignment in the app, providing a more comprehensive Role-Based Access Control (RBAC) than Microsoft’s current Entra ID roles and administrative unit assignments.
Graph permissions need to be assigned as Application Permissions (Not Delegated)
Summary of Roles and Use Cases
The following table provides the required and optional roles with their associated functional use cases in ZPM.
| Use Case | Required | Least Permission | Higher Privileged Permissions | Microsoft API Doc |
|---|---|---|---|---|
| Teams Powershell Module - Managing Teams Voice & Device Settings |  |
Teams Communications Administrator  |
Teams Administrator | Microsoft Teams PowerShell Overview - Microsoft Teams | Microsoft Learn |
| Searching and Displaying User Details in 360 View | |
User.Read.All |
User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
Get user - Microsoft Graph v1.0 | Microsoft Learn |
| Assign Teams Phone Number | |
TeamsTelephoneNumber.ReadWrite.All |
numberAssignment: assignNumber - Microsoft Graph v1.0 | Microsoft Learn | |
| Read/Write Teams User Configuration & Policies | |
TeamsUserConfiguration.Read.All |
Get teamsUserConfiguration - Microsoft Graph v1.0 | Microsoft Learn | |
| Read/Write Teams User Policies | |
TeamsPolicyUserAssign.ReadWrite.All |
teamsPolicyUserAssignment: assign - Microsoft Graph v1.0 | Microsoft Learn | |
| Search and View Licenses | |
LicenseAssignment.Read.All |
Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All, Organization.ReadWrite.All LicenseAssignment.ReadWrite.All |
List subscribedSkus - Microsoft Graph v1.0 | Microsoft Learn |
| Direct License Assignment | optional | LicenseAssignment.ReadWrite.All |
User.ReadWrite.All Directory.ReadWrite.All |
user: assignLicense - Microsoft Graph v1.0 | Microsoft Learn |
| List Groups and Members | optional | GroupMember.Read.All |
GroupMember.ReadWrite.All |
List groups - Microsoft Graph v1.0 | Microsoft Learn |
| Edit Group Members | optional |  Ownership of selected groups |
GroupMember.ReadWrite.All |
Add members - Microsoft Graph v1.0 | Microsoft Learn |
| Update Usage Location | optional | LicenseAssignment.ReadWrite.All |
User.ReadWrite.All Directory.ReadWrite.All |
Update user - Microsoft Graph v1.0 | Microsoft Learn |
| Managing Teams Devices | optional | TeamworkDevice.ReadWrite.All |
List teamworkDevices - Microsoft Graph beta | Microsoft Learn | |
| Reading PSTN Records for Utilization Reports & Call Record Finder | optional | CallRecords.Read.All |
List callRecords - Microsoft Graph v1.0 | Microsoft Learn | |
| Create Users and Resource Accounts | optional | User.ReadWrite.All |
New-CsOnlineApplicationInstance (MicrosoftTeams) | Microsoft Learn |
The Teams Communications Administrator is not a Graph Role, it is an Entra ID role that must be assigned via PIM.