Applicable plans:


The free planThe complete planOn-demand plan

The "consent" is an activation in your O365 tenant, to specify that "Waldo is an application and will need to authenticate to the office server with a user account". Waldo employees CANNOT, in any way, identify your data.



1 - Principles:


The Waldo app uses OpenID authentication to get access to Office 365 resources. Authentication principles are detailed here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols.


These permissions are OAuth standard permissions (based on Azure AD Application specifications). The Waldo App needs to access your Microsoft Teams instance to read user profiles as a normal user would do (with the same "level" permissions as a normal user). The "consent" is an activation in your O365 tenant, to specify that "Waldo is an application and will need to authenticate to the office server with a user account". In addition, the Waldo app will always need a user account to authenticate to the online server. So there are two security levels: application-level AND user-level. Without a user account, Waldo cannot access the online server, even if you have provided consent.


Thanks to the consent process, your data are secured. Waldo employees CANNOT, in any way, identify your data.


2 - Default consent permissions.


By default, Waldo requires the following read-only permissions from you or your organization:

  • Maintain access to data you have given it acccess to.
  • Sign-in and read user profile.
  • Read all users' basic profiles.
  • Read names and members of user chat threads.


When you use the minimal consent only, Waldo has some limitations:

  • Waldo won't be able to display users' avatars in the notifications.
  • Waldo can't get users' managers so users' teammates identification is less accurate.
  • In the management portal, you can't filter users based on their license and their Azure properties (groups, email, user IDs).
  • Waldo can't synchronize with Outlook.


That's why we recommend to extend the consent as explained below.


3 - Admin consent permissions.


When you extend the consent, Waldo requires the following read-only permissions from you or your organization:

  • Maintain access to data you have given it acccess to.
  • Sign-in and read user profile.
  • Read all users' basic profiles.
  • Read all users' full profiles.
  • Read names and members of user chat threads.
  • Access Directory Data.


4 - Outlook sync consent permissions.


If you would like to use the "Outlook Sync" feature, Waldo requires this additional permission:

  • Read and write calendars in all mailboxes.


5 - How to grant consent.


You can refer to this article: https://customer.hellowaldo.app/en/support/solutions/articles/8000096278-need-admin-approval-grant-admin-consent