Permissions
The following enterprise applications are used to grant permissions for Poly Services to access various portions of an Office 365 tenant. There are currently two applications specific to the Poly RealConnect Service which are used to onboard/manage the service and to allow the service access to Microsoft Teams meetings. There are two additional applications for the Poly One Touch Dial Service which allow for management of the service and access to Microsoft Exchange Online.
Name | Application ID |
---|---|
Polycom RealConnect for Office 365 | d46cf366-f046-4291-9ecb-a00b8dc39a83 |
Polycom RealConnect for Microsoft Teams | a39192d4-7b9b-4c07-87d7-cbcd3fd97af7 |
Polycom One Touch Dial Portal | 825e7785-63db-4551-8241-316dad7cf464 |
Polycom One Touch Dial Service | 500e702f-0145-4462-b2a6-d00e35b92d45 |
Some, or all, of these apps may need to be approved depending on what functionality is required.
The approval process of each of app is covered in detail under the Enable Services section of the documentation, but these additional details are provided here to allow a tenant to review any potential permissions requests before starting the actual configuration process.
Once approved each application can be reviewed and managed in the Enterprise applications section of the Azure Active Directory admin center.
Once deployed if the RealConnect Service and/or the One Touch Dial Service was not needed then each of these Poly apps could be removed from the tenant using the Azure portal.
Polycom RealConnect for Office 365
This application is used to initially provision a Microsoft tenant for the RealConnect Service as well as allow a user in a Microsoft tenant, which is assigned the Global Admin role to access the RealConnect Service management portal (https://webapp.plcm.vc). The following request will automatically appear after signing into the administration portal.
Required Permissions
- View your basic profile
Allows the app to see your basic profile (name, picture, user name). - Access the directory as you
Allows the app to have the same access to information in your work or school directory as you do. - Maintain access to data you have given it access to
Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions.
The “Consent on behalf of your organization” option can be ignored as this application can only be approved by a user assigned the Global Admin, Application Admin, or Cloud Application Admin role in the Microsoft tenant. User-level consent is sufficient for both the tenant onboarding processes to complete, as well as to provide access to the administration portal for the same user approving the application. If admin-level consent is used when accepting the app, then the only difference is that any other Global Admin account in the same tenant would be able to sign into the RealConnect Service administration portal without also being prompted to approve this application.
Upon approval the app will perform the following actions:
- Read the group membership of the user to validate the Global Administrator role.
- Read the Microsoft Tenant ID, country location, and verified domains to configure the tenant in Poly’s service database.
- Review the tenant’s current Skype for Business Online Plan 2 license count to calculate the required number of Cloud Video Interop add-in licenses to provide.
- Generate a globally unique Cloud Video Interop Tenant Key.
The application must be approved to successfully setup the Microsoft tenant to use the RealConnect Service, but it can be removed from the tenant once the configuration has been completed, as it is not required for ongoing functionality of the service.
If removed, then any future access to the RealConnect administration portal would require the application to be temporarily reapproved. Typically, the administration portal would only need to be accessed again to perform infrequent administrative tasks like activating new Poly licenses, or refreshing the count of Microsoft Office 365 add-in licenses for Skype for Business Online (not applicable to Microsoft Teams).
Polycom RealConnect for Microsoft Teams
This application only needs to be approved if using the RealConnect Service for Microsoft Teams meetings. If the RealConnect Service is only being used with Skype for Business, then this app will not be needed.
The following request will appear when visiting the link to grant consent which is provided under the Teams Configuration section in the RealConnect Service administration portal.
Required Permissions
- Access media streams in a call as an app
Allows the app to get direct access to media streams in a call, without a signed-in user. - Join group calls and meetings as an app
Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined with the privileges of a directory user to meetings in your organization. - Read online meeting details
Allows the app to read online meeting details in your organization, without a signed-in user. - Sign in and read user profile
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
This app allows the RealConnect Service to function by allowing the service to locate and connect to Microsoft Teams meetings in the Microsoft tenant. It must be approved and cannot be removed from the tenant otherwise calls into the service will be unable to join any Teams meeting.
Polycom One Touch Dial Portal
This application is simply used for authentication when accessing the administration portal (https://otd.plcm.vc) for the Poly One Touch Dial (OTD) service.
The following request will appear when signing into the OTD portal for the first time and must be approved to access the portal.
Required Permissions
- Sign you in and read your profile
Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. - Maintain access to data you have given it access to
Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions.
The “Consent on behalf of your organization” option is not required. It will only be presented when the approving user is also an administrator in the Microsoft 365 tenant, but admin consent is not needed unless other users in the tenant who might also be setup as administrators in the One Touch Dial portal are not able to approve applications requests themselves.
Polycom One Touch Dial Service
This application is used by the One Touch Dial Service to access calendar data stored in Exchange Online mailboxes. A user account assigned the Global Admin role in the Microsoft 365 tenant will need to be used to approve this application.
There are two different sets of permissions that this application can request access to which depends on which calendar integration option is selected in the OTD administration portal: either as an Application or with a Service Account. In either approach the application is limited to read access of only the Calendar folder to any mailboxes which it is permitted to access. The scope of which mailboxes can be access can be controlled by the Microsoft tenant.
Either option can be used to limit permissions to the same set of defined mailboxes, but via different steps. The Application model is currently recommended as the configuration and management is simpler than the Service Account model. The Application model also supports environments where Exchange Online resource mailboxes are enabled for both accounts which created directly online and accounts which were originally synchronized from an on-premise Active Directory environment. Note: The Service Account model can only access user mailboxes configured using the same method as the service account was created.
Connect as Application
With this approach the app will request read access to calendar data in all mailboxes in the entire organization, but the scope of mailboxes the app is allowed to access can manually be limited by use of a custom mail-enabled security group. When using this approach, it is recommended to define a new Application Access Policy in Exchange Online prior to approving the application request to prevent even a brief period of access to all mailboxes in the organization.
The following request will appear after selecting the Connect as Application option under the Office 365 Calendar Integration section of the OTD administration portal.
Required Permissions
- Read calendars in all mailboxes
Allows the app to read events of all calendars without a signed-in user. - Read directory data
Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. - Sign in and read user profile
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
Connect with Service Account
This approach will request read access to only the mailboxes that a single user account has access to. That is defined by creating a dedicated service account in the tenant which is then delegating rights for the desired mailboxes in the tenant. The app will use this service account when connecting to Exchange Online and thus be limited to reading calendar data in only the mailboxes accessible to that account. The following request will appear after selecting the Connect with Service Account option under the Office 365 Calendar Integration section of the OTD administration portal and providing the credentials of the desired service account.
Required Permissions
- Sign you in and read your profile
Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. - Read your calendars
Allows the app to read events in your calendars. - Read calendars you can access
Allows the app to read events in all calendars that you can access, including delegate and shared calendars. - Maintain access to data you have given it access to
Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions.