Technical Specifications for Microsoft Graph API Permissions

When implementing enterprise add-ins, IT Security and Network departments require precise technical specifications to assess security posture and grant approval. Enterprise architects need to confirm whether the integration utilizes Delegated or Application permissions, as well as the exact list of Microsoft Graph API scopes requested.

Root Cause

Inquiries regarding API permissions stem from standard enterprise security compliance. Understanding that permissions are constrained to user interactions helps security teams properly configure Microsoft Entra ID (formerly Azure AD) policies.

The Procore for Outlook integration is built to operate under a strict security model using the following specifications:

• Permission Type: Delegated Permissions:

  • The integration uses Delegated permissions exclusively. It does not use Application permissions.

  • This means the application can only access data belonging to the signed-in user and cannot access any data without a user present and authenticated.

• Consent and Scopes:

  • While the permissions are delegated, it is recommended that a Microsoft Tenant Administrator grants tenant-wide consent. This pre-approves the app so individual users are not prompted to sign individual permission slips.

  • Required Scopes: The primary scopes used include Mail.Read and User.Read.

  • For the full list of these scopes and the technical definitions of why they are required, please visit the Outlook Permissions Documentation.