Applicable plans:


The free planThe complete planOn-demand plan

The "consent" is an activation in your O365 tenant, to specify that "Waldo is an application and will need to authenticate to the office server with a user account". Waldo employees CANNOT, in any way, identify your data.



1 - Principles:


The Waldo app uses OpenID authentication to get access to Office 365 resources. Authentication principles are detailed here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols.


These permissions are OAuth standard permissions (based on Azure AD Application specifications). The Waldo App needs to access your Microsoft Teams instance to read user profiles as a normal user would do (with the same "level" permissions as a normal user). The "consent" is an activation in your O365 tenant, to specify that "Waldo is an application and will need to authenticate to the office server with a user account". In addition, the Waldo app will always need a user account to authenticate to the online server. So there are two security levels: application-level AND user-level. Without a user account, Waldo cannot access the online server, even if you have provided consent.


Thanks to the consent process, your data are secured. Waldo employees CANNOT, in any way, identify your data.


2 - Default consent permissions.


By default, Waldo requires the following read-only permissions from you or your organization:

  • Maintain access to data you have given it acccess to.
  • Sign-in and read user profile.
  • Read all users' basic profiles.
  • Read names and members of user chat threads.


When you use the minimal consent only, Waldo has some limitations:

  • Waldo won't be able to display users' avatars in the notifications.
  • Waldo can't get users' managers so users' teammates identification is less accurate.
  • In the management portal, you can't filter users based on their license and their Azure properties (groups, email, user IDs).


That's why we recommend to extend the consent as explained below.


3 - Admin consent permissions.


When you extend the consent, Waldo requires the following read-only permissions from you or your organization:

  • Maintain access to data you have given it acccess to.
  • Sign-in and read user profile.
  • Read all users' basic profiles.
  • Read all users' full profiles.
  • Read names and members of user chat threads.
  • Access Directory Data.


4 - How to extend the consent.


4.1 - Via the Waldo management platform (recommended)


You will need Microsoft 365 administrative privileges.


  1. Go to the management portal: https://app.hellowaldo.app.

  2. Authenticate using your Microsoft 365 account.

  3. Under Global Settings and then Consent, click on Grant Admin Consent.

  4. Authenticate again using your Microsoft 365 account.
  5. Click on Accept.


4.2 - Via the Teams admin center


When you grant consent via the Teams admin center, the "Grant admin consent" button in the Waldo management portal will remain activated. That's why we recommend you grant consent via the Waldo management portal, rather than the Teams admin center.


To grant permission to Waldo via the Teams admin center:

  1. Open the Microsoft Teams admin center: https://admin.teams.microsoft.com/

  2. Go to Teams apps > Manage apps.

  3. Search for "Waldo".

  4. Click on "Waldo".

  5. Under "Permissions", select Review permissions.
  6. Click on "Consent".