Permissions
When deploying the "LiveTiles Intranet Hub"-app a set of permission requests are created that need to approved in the "API Management"-section in the SharePoint Admin Center.
Please be aware the you might not need all permissions, if you don't need the functionality that requires them. Please also be aware that everything is executed under the current user. That means users will only be able to load data, they are actually allowed to load. Also all calls to Graph are performed directly from the user's browser. We do not store anything in our database, except the hub's configuration.
To give you a better understanding of which permissions we require and why we require them, please view following list. Additionally you can consult the official documentation from Graph.
MatchPoint Hub (required)
The scope user_impersonation allows us to call our configuration API. This is where the configuration of the intranet as well as user specific configs are stored. This permission is required.
Microsoft Graph
User.Read
Allows us to read the current user's profile. This is used to load the user's profile information so the user's properties can be used in conditions.
User.Read.All
Allows us to read all users, e.g. to aggregate them in a contacts/people widget or if you would like to use Graph for the global search.
https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http
People.Read
Allows us to retrieve the current user's contacts (i.e. "people"). This is used in a Communication Widget provided in the default configuration.
Contacts.Read
Allows us to read the user's contacts. This is currently not used in the default config.
Mail.Read
Allows us to read the current user's mails. The is used e.g. in the Communication Widget provided in the default configuration.
Calendars.Read
Allows us to read the current user's calendar. This is used in the schedule widget in the default configuration.
Calendars.Read.Shared
Allows us to the read the calendar the user can access, that also includes Shared Calendars. This functionality is not used in the default configuration.
Sites.Read.All
Allows us to read items in all site collections the user has access to. This can be used for example to retrieve the users trending or recently used documents.
https://docs.microsoft.com/en-us/graph/api/insights-list-trending?view=graph-rest-1.0 https://docs.microsoft.com/en-us/graph/api/insights-list-used?view=graph-rest-1.0
Group.Read.All
Allows us to read groups and their properties. This is used for the TeamsDataProvider as well as for detecting if a site collection has an associated team so we can display a link in the global search results.
ExternalItem.Read.All
Allows us to query data coming from Microsoft Search connectors.
Disclaimer Can be omitted if the dataProvider_msSearch will not be used
Microsoft 365 Exchange Online
The scope Tasks.Read allows us to load the users tasks from Outlook/Todo. This is currently not used in the default configuration.
Condense API
The scope user_impersonation allows us to perform call under the current user to the LiveTiles Reach API. If you do not need LiveTiles Reach, this is not required.