The ZIRO Platform uses a combination of Microsoft’s Graph API and Teams Powershell Module to perform actions within the Microsoft Tenant using the principle of least privilege.
Below are a list of uses cases and least privileges required to perform those actions via the Graph API.
Microsoft Teams Administrator Role - Required
The ZIRO Platform requires the Teams Administrator Role to programmatically access your Microsoft Teams through the Microsoft Teams Powershell Module (TPM).
Transactions such as:
- Assigning Teams Policies
- Assigning Phone Number / LineURI
- Building Custom Reports about Teams Configurations
- Managing Devices
are only available through Powershell and are not yet available through Microsoft’s Graph API.
IMPORTANT Microsoft Teams Powershell Module only supports Entra built-in roles. Microsoft does not support custom roles or Graph API roles.
Graph API Roles
In addition to the Teams Administrator Role, the ZIRO Platform requires specific graph roles to perform certain actions against your Microsoft Tenant. Some are required, while others are optional, depending on the features you want to enable in ZPM.
Graph permissions need to be assigned as Application Permissions (Not Delegated)
Why are Application Permissions Required?
- ZPM is an enterprise application that runs numerous background tasks and jobs that cannot be scoped to a single user with delegate access.
- ZPM offers the ability to integrate with third-party tools (e.g., ServiceNow) using RESTful API integrations and 0-touch automation in cases where interactive browser-based authentication using delegate access is not feasible.
- ZPM requires all users to sign in using Single Sign-On (SSO), where Two-Factor Authentication (2FA) is highly recommended. The application authorizes users based on their security group or direct role assignment in the app, providing a more comprehensive Role-Based Access Control (RBAC) than Microsoft’s current Entra ID roles and administrative unit assignments.
Summary of Roles and Use Cases
The following table provides the required and optional roles with their associated functional use cases in ZPM.
Use Case | Required | Least Permission | Higher Privileged Permissions | E |
---|---|---|---|---|
Managing Teams Voice & Device Settings | Teams Administrator |
|||
Searching and Displaying User Details in 360 View | User.Read.All |
User.ReadWrite.All , Directory.Read.All , Directory.ReadWrite.All |
||
Search and View Licenses | Organization.Read.All |
Directory.Read.All , Directory.ReadWrite.All , Organization.ReadWrite.All |
||
Read Teams User Configuration | Required in Future | TeamsUserConfiguration.Read.All |
||
Direct License Assignment | optional | LicenseAssignment.ReadWrite.All |
User.ReadWrite.All Directory.ReadWrite.All |
|
Upate Usage Location | optional | LicenseAssignment.ReadWrite.All |
User.ReadWrite.All Directory.ReadWrite.All |
|
Edit Group Membership | optional | GroupMember.ReadWrite.All |
||
Managing Teams Devices | optional | TeamworkDevice.ReadWrite.All |
||
PSTN Call Records | optional | CallRecords.Read.All |
The Teams Administrator
is not a Graph Role, it is an Entra ID role that must be assigned via PIM.
Search and Displaying User Details in 360 View
Function Name user: Get a user
ZIRO requires the ability to search and display details about the users in the 360 view (name, e-mail, picture, etc).
Search and View Licenses
Function Name List subscribedSkus
ZIRO Requires the ability to view license details to correctly enable PSTN voice for users and assign numbers. For example, feedback is provided when a user is not licensed for voice and cannot be assigned a number.
Read Teams User Configuration [ Future Requirement ]
We have noticed a new role being introduced in the Microsoft Graph API, allowing the application to read your tenant’s Microsoft Teams User configurations such as telephone number, assigned policies, etc.
Although this functionality is not available today in graph, we ask that you enable the role in preparation for its eventual use.
Read more here Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn
Direct License Assignment
Function Names user: assignLicense
Ref. user: assignLicense - Microsoft Graph v1.0 | Microsoft Learn
Users requiring a license with a Phone System Service Plan (e.g., Phone System, E5) can be licensed directly with ZPM.
Update Usage Location
Function Names user: update
Ref. Update user - Microsoft Graph v1.0 | Microsoft Learn
Updates to a user’s usage location. This is important for both licensing and calling functionality (ex. Dial Plan Normalization Rules What are dial plans? - Microsoft Teams | Microsoft Learn)
Edit Group Membership
Function Name: Add/Remove members
Ref. Add members - Microsoft Graph v1.0 | Microsoft Learn
License and Policy Assignment can also be achieved through group membership. The ZPM leverages the Group Membership Graph Functions to assign/remove groups to users.
Managing Teams Devices
Function Name: Get/List/Restart Teamwork Devices
Ref. teamworkDevice: restart - Microsoft Graph beta | Microsoft Learn
List and view individual Microsoft Teams devices. Restarting devices requires “Read” and “Write” permissions.
Call Records
Function Name: callRecord: getPstnCalls
Ref. callRecord: getPstnCalls - Microsoft Graph v1.0 | Microsoft Learn
COMING SOON - Call Record Reports in ZPM provide valuable insights regarding:
• PSTN Call Utilization: Understand how much PSTN calls are made and received by certain users.
• Teams Phone System Usage: Identify who uses the Teams Phone System for PSTN calls.