Applicable plans: ❎ Free Plan ❎ Complete Plan
When setting up Waldo with Microsoft 365, you'll be asked to grant admin consent in your Microsoft 365 tenant.
This often sounds more complex than it really is.
In simple terms, consent means:
“Waldo is an application that needs permission to interact with Microsoft 365 on behalf of authenticated users.”
Importantly, Waldo employees cannot access, identify, or view your organisational data.
🔐 1. How Waldo Accesses Microsoft 365
Waldo uses OpenID Connect (OIDC) and OAuth 2.0, Microsoft's standard and secure authentication protocols.
If you'd like to learn more about the underlying technology, see Microsoft's official documentation on OpenID Connect and OAuth.
To access Microsoft 365 resources, Waldo requires two independent conditions:
- Application permission (Admin Consent) – granted once by a Microsoft 365 administrator.
- User authentication – each user must sign in with their Microsoft account.
Both are mandatory.
✅ Consent without a user login provides no access.
✅ A user login without granted consent provides no access.
❌ There are no backdoors, shared credentials, or alternate access methods.
Waldo accesses Microsoft 365 exactly as an authenticated user would, using Microsoft's security framework.
📋 2. Default Consent Permissions
By default, Waldo requires a small set of read-only permissions to operate.
| Permission | Purpose |
|---|---|
| Maintain access to previously granted data | Allows Microsoft 365 authentication to continue working |
| Sign in and read user profile | Identifies the authenticated user |
| Read all users' basic profiles | Displays basic user information |
| Read names and members of chat threads | Supports teammate discovery during onboarding |
Limitations of Minimal Consent
If you only grant the minimum permissions, some Waldo features will be unavailable:
- User avatars won't appear in notifications
- Manager-based teammate discovery won't work
- User filtering by Azure attributes won't be available in the Admin Portal
- Outlook calendar synchronisation won't function
👉 For the best experience, we recommend granting the extended consent permissions described below.
⚙️ 3. Additional Admin Consent Permissions
Depending on the features you enable, Waldo may request additional permissions.
Default Features and User Management
| Permission | Purpose |
|---|---|
| User.Read | Read user information |
| User.ReadBasic.All | Read basic information for all users |
| Chat.ReadBasic | Identify teammates during onboarding |
| User.Read.All | Access extended user directory information |
| Place.Read.All | Improve management of meeting room resources |
| Directory.Read.All | Filter users by Azure AD groups, licences, and directory attributes |
Outlook Calendar Synchronisation
Outlook ➜ Waldo
| Permission | Purpose |
|---|---|
| Calendars.Read | Read Outlook calendar events |
Waldo ➜ Outlook
| Permission | Purpose |
|---|---|
| Calendars.ReadWrite | Create and update calendar events in Outlook |
Emergency Skills Messaging
| Permission | Purpose |
|---|---|
| Chat.Create | Create Microsoft Teams chats |
| ChatMessage.Send | Send Teams messages |
Teams Group Chat Calendar Messages
| Permission | Purpose |
|---|---|
| Chat.Read | Read Teams group chat information required for messaging features |
Filter User Based on Azure Groups
| Permission | Purpose |
|---|---|
| Directory.ReadAll | Used to filter users in the admin portal using Azure Groups |
Rooms
| Permission | Purpose |
|---|---|
| Calendar.ReadWrite | Used to sync Waldo calendar with Outlook calendar |
Guest Booking Notifications
When communicating with internal guests who do not use Waldo:
| Permission | Purpose |
|---|---|
| Chat.Create | Create chat conversations |
| ChatMessage.Send | Send booking-related notifications |
For a complete and always up-to-date list of permissions, please refer to the Consent documentation.
📅 4. Consent Permissions for the Meeting Room Check-in Feature
The meeting room check-in feature is unique in that it requires application consent, unlike other features that only need delegated consent.
| Permission | Purpose |
|---|---|
| Calendars.Readwrite | Create and update calendar events in Outlook |
To grant consent for the Meeting room checkin feature, go to the Policies page > Check-in > Rooms
🛡️ 5. Data Security and Privacy
Waldo is designed around a simple principle:
Your data remains yours.
Granting consent does not mean Waldo employees can browse, identify, or access your Microsoft 365 data.
All permissions are handled through Microsoft's secure identity platform and are only used to provide the features you explicitly enable.
No authenticated user means no access.
No granted permission means no access.
✅ 6. How to Grant Consent
- Go to the consent page: https://admin.hellowaldo.app/consent
- Sign in with your Microsoft 365 account.
- Review the requested permissions (these allow Waldo to read your organization’s data like users, teams, and rooms).
- Click Accept to approve access.
- Once completed, users in your organization will be able to sign in to Waldo normally.
✅ 7. How to Grant Consent for the meeting room check-in feature
Granting consent for the meeting room feature is a straightforward process. To authorize the Waldo app to confirm or cancel a meeting when the user checks in:
- Go to the Policies page > Check-in > Rooms
- Click "grant admin consent"
- Authenticate with an M365 admin account.
Note: The meeting room check-in feature needs application consent, unlike the other features that require delegated consent.
Comments
0 comments
Please sign in to leave a comment.