Skip to main content
Microsoft 365 API Scopes

Details around each of the the Microsoft Graph API scopes required by Fellow

Amin Mirzaee avatar
Written by Amin Mirzaee
Updated over a year ago

If you or your IT team are looking for more information about the Microsoft 365 API scopes required by Fellow, the following article can help with that.

Microsoft 365 Permissions

Fellow uses the OAuth2 protocol in order to connect to Microsoft systems on behalf of users and access the necessary data. OAuth2 provides built-in security mechanisms where Fellow can only access resources based on the "scopes" which it is authorized for.

There are two sets of scopes that Fellow can use, depending on which integrations you have enabled. The scopes in the below categories must be authorized by each individual user as they sign into the Fellow application (aka Delegated scopes).

  • Base scopes are required in order to log into Fellow and to use Fellow with a Microsoft 365 calendar.

  • [optional] Microsoft Teams scopes are required in order to use Fellow with Microsoft Teams. If you do not use Microsoft Teams, or choose to not install the Fellow app inside your teams instance, you do not need to authorize these scopes.

Additionally, Microsoft has the concept of "Application scopes" which can be used by an Admin in order to pre-authorize Fellow access for all of the users within their AD tenant.

Delegated Scopes

Below is a list if all of the scopes that Fellow requires, along with the reasons behind each.

Base scopes

The following scopes govern what data Fellow can access from each user's Microsoft 365 account.

  • Calendars.ReadWrite

    Description: Have full access to user calendars.

    Request Reason: Core functionality for Fellow. This permission allows Fellow to create, read, update, and delete events in user calendars. As a Calendar-based tool, this permission is required for Fellow to perform its primary function.
    Note: while Fellow can see any attachment links attached to a calendar invite, we cannot access the contents of said links.

  • User.Read

    Description: Sign-in and read user profile

    Request Reason: Allows users to sign in to the app, and allows the app to read the profile of signed-in users (e.g. name, email). It also allows the app to read basic company information of signed-in users (e.g. company name).
    Note: This scope includes the following OpenID Connect (OIDC) scopes: email, openid, profile .

  • People.Read

    Description: Read users' relevant people lists

    Request Reason: Allows the app to read a scored list of people relevant to the signed-in user. This is used in order to facilitate sending notes to other users, allowing Fellow to make relevant suggestions.

  • offline_access

    Description: Access authorized data anytime

    Request Reason: Allows Fellow to access the required data at any time, without the user needing to actively be inside the Fellow app. Fellow requires "offline" access to calendar data for background syncing. This is required in order to keep calendars in sync and provide timely notifications.

[Optional] Microsoft Teams scopes

Scopes that Fellow only requires if it is to be used in conjunction with Microsoft Teams. These scopes will be incrementally requested when a user signs into the Fellow for Teams app.

  • Team.ReadBasic.All

    Description: Read the names and descriptions of teams

    Request Reason: Allows Fellow to get basic information about Teams, in order to be able to send notes and add the Fellow tab.
    Note: this does not provide the ability to read messages.

  • Channel.ReadBasic.All

    Description: Read the names and descriptions of channels.

    Request Reason: Allows users to post meeting notes to a given channel, which is listed in Fellow.
    Note that this only allows us to see what channels exist. It does not provide the ability to read messages.

  • [Optional] to auto-add a Fellow tab to all meetings in MS Teams, the following permissions will be required. For this feature to be enabled, a Fellow Admin must go to the workspace settings and connect this additional integration.

    • AppCatalog.Read.All
      Description: Read all app catalogs
      Request Reason: Allows the app to read apps in the app catalogs without a signed-in user.

    • OnlineMeetings.Read
      Description: Read Online Meeting details from the app
      Request Reason: Allows an app to read online meeting details on behalf of the signed-in user.

    • TeamsAppInstallation.ReadWriteForChat
      Description: Manage installed Teams apps in teams
      Request Reason: Allows Fellow to read a list of apps available in a chat, and to install Fellow if it is not already installed. Does not give the ability to read application-specific settings.

    • TeamsTab.ReadWriteForChat
      Description: Manage installed Teams apps in teams
      Request Reason: Allows Fellow to read a list of tabs available in a chat, and to add a Fellow tab if it is not already installed.

Scopes for Application Grants

The following scopes can be granted to Fellow in the event that a tenant-wide install is being performed by an AD admin for all users in the tenant. If you are not sure what those things are, these scopes do not apply to you.

  • Calendars.ReadWrite

    Description: Read and write calendars for all users in the tenant

    Request Reason: This permission allows the Fellow to create, read, update, and delete events in user calendars. As a Calendar-based tool, this permission is required for Fellow to perform its primary function.
    Note: while Fellow can see any attachment links attached to a calendar invite, we cannot access the contents of said links.

  • User.Read.All

    Description: Read all users' full profiles in the tenant

    Request Reason: Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. This allows Fellow to keep the list of users in sync, including names, emails, and hierarchy information. This is also used to deprovision users when they are no longer active on the tenant.

  • People.Read.All

    Description: Read all users' relevant people lists

    Request Reason: Also Fellow to search the entire directory of the signed-in user's organization. This is used in order to get a full list of users, and to facilitate making suggestions.

  • Directory.Read.All

    Description: Read directory data

    Request Reason: Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. This allows Fellow to keep the list of users in sync.

  • Group.Read.All

    Description: Read all groups

    Request Reason: Allows the app to list groups for all users, and to read their properties and all group memberships for all users. This also allows Fellow to read calendar, conversations, files, and other group content for all groups.
    Note: Fellow does not use this permission for anything other than to access group calendars to which it has been given explicit access.

Did this answer your question?