Permissions & Consent
Last updated: January 2026
This page lists the Microsoft Graph and SharePoint permissions required by Seamless. Seamless requests only the permissions necessary to operate its governance and collaboration features in Microsoft 365. All access is granted via Microsoft’s standard consent model and follows the principle of least privilege.
Seamless does not access customer data beyond the approved scopes, does not persist content unnecessarily, and does not use customer data for training or secondary purposes.
Seamless Admin Center
Find below the Microsoft Graph and SharePoint permissions required for the Seamless Admin Center.
Microsoft Graph Scopes
| Scope | Typ | Beschreibung |
|---|---|---|
| AuditLog.Read.All | delegated | Allows the app to read and query your audit log activities, on behalf of the signed-in user. |
| delegated | Allows the app to read your users' primary email address | |
| Group.Read.All | delegated | Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. |
| offline_access | delegated | Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. |
| openid | delegated | Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. |
| profile | delegated | Allows the app to see your users' basic profile (e.g., name, picture, user name, email address) |
| User.Read | delegated | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
| User.Read.All | delegated | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
| AppRoleAssignment.ReadWrite.All | application | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. |
| AuditLog.Read.All | application | Allows the app to read and query your audit log activities, without a signed-in user. |
| Directory.ReadWrite.All | application | Allows the app to read and write data in your organization's directory, such as users and groups, without a signed-in user. Does not allow user or group deletion. |
| Group.ReadWrite.All | application | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. |
| GroupMember.ReadWrite.All | application | Allows the app to list groups, read basic properties, and read and update group memberships without a signed-in user. |
| Mail.Send | application | Allows the app to send mail as any user without a signed-in user. |
| Notes.Read.All | application | Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. |
| RoleManagement.ReadWrite.Directory | application | Allows the app to read and manage the role-based access control (RBAC) settings for your directory, without a signed-in user. |
| Tasks.ReadWrite.All | application | Allows the app to create, read, update and delete all users’ tasks and task lists in your organization, without a signed-in user. |
| Team.ReadBasic.All | application | Get a list of all teams, without a signed-in user. |
| TeamMember.ReadWrite.All | application | Add and remove members from all teams, and change team member roles, without a signed-in user. |
| User.ReadWrite.All | application | Allows the app to read and update user profiles without a signed-in user. |
SharePoint Scopes
| Scope | Typ | Beschreibung |
|---|---|---|
| AllSites.FullControl | delegated | Allows the app to have full control of all site collections on behalf of the signed-in user. |
| Sites.FullControl.All | application | Allows the app to have full control of all site collections without a signed-in user. |
| User.Read.All | application | Allows the app to read user profiles without a signed-in user. |
Seamless Teams App
Find below the Microsoft Graph and SharePoint permissions required for the Seamless Teams App.
Microsoft Graph Scopes
| Scope | Typ | Beschreibung |
|---|---|---|
| AuditLog.Read.All | delegated | Allows the app to read and query your audit log activities, on behalf of the signed-in user. |
| ChannelMember.ReadWrite.All | delegated | Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. |
| Group.Read.All | delegated | Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. |
| Group.ReadWrite.All | delegated | Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. |
| Notes.Read.All | delegated | Allows the app to read OneNote notebooks that the signed-in user has access to in the organization. |
| Sites.Read.All | delegated | Allows the application to read documents and list items in all site collections on behalf of the signed-in user. |
| Team.ReadBasic.All | delegated | Read the names and descriptions of teams, on behalf of the signed-in user. |
| TeamMember.ReadWrite.All | delegated | Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. |
| User.Invite.All | delegated | Allows the app to invite guest users to the organization, on behalf of the signed-in user. |
| User.Read | delegated | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
| User.Read.All | delegated | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
| AuditLog.Read.All | application | Allows the app to read and query your audit log activities, without a signed-in user. |
| Group.ReadWrite.All | application | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. |
| TeamMember.ReadWriteNonOwnerRole.All | application | Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role or elevating members to owners. |
| User.ReadWrite.All | application | Allows the app to read and update user profiles without a signed-in user. |
SharePoint Scopes
| Scope | Typ | Beschreibung |
|---|---|---|
| AllSites.FullControl | delegated | Allows the app to have full control of all site collections on behalf of the signed-in user. |