Applicable plans:
The free plan | The complete plan | On-demand plan |
---|---|---|
The "consent" is an activation in your O365 tenant, to specify that "Waldo is an application and will need to authenticate to the office server with a user account". Waldo employees CANNOT, in any way, identify your data. |
1 - Principles:
The Waldo app uses OpenID authentication to get access to Office 365 resources. Authentication principles are detailed here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols.
These permissions are OAuth standard permissions (based on Azure AD Application specifications). The Waldo App needs to access your Microsoft Teams instance to read user profiles as a normal user would do (with the same "level" permissions as a normal user). The "consent" is an activation in your O365 tenant, to specify that "Waldo is an application and will need to authenticate to the office server with a user account". In addition, the Waldo app will always need a user account to authenticate to the online server. So there are two security levels: application-level AND user-level. Without a user account, Waldo cannot access the online server, even if you have provided consent.
Thanks to the consent process, your data are secured. Waldo employees CANNOT, in any way, identify your data.
2 - Default consent permissions.
By default, Waldo requires the following read-only permissions from you or your organization:
- Maintain access to data you have given it acccess to.
- Sign-in and read user profile.
- Read all users' basic profiles.
- Read names and members of user chat threads.
When you use the minimal consent only, Waldo has some limitations:
- Waldo won't be able to display users' avatars in the notifications.
- Waldo can't get users' managers so users' teammates identification is less accurate.
- In the management portal, you can't filter users based on their license and their Azure properties (groups, email, user IDs).
- Waldo can't synchronize with Outlook.
That's why we recommend to extend the consent as explained below.
3 - Admin consent permissions.
When you extend the consent, Waldo requires the following read-only permissions from you or your organization:
When you enable the "default features":
- User.Read: Used to retrieve user information.
- User.ReadBasic.All: Used to retrieve all users' basic information.
- Chat.ReadBasic: Used to define teammates during onboarding.
When you enable the "user management features":
- User.Read.All: Used to retrieve all users' information.
- Place.Read.All: Used to remove meeting rooms from the user list.
When you enable "synchronize from Outlook calendar to Waldo calendar":
- Calendars.Read: Used to synchronize Outlook calendar to Waldo calendar.
When you enable "synchronize from Waldo calendar to Outlook calendar":
- Calendars.ReadWrite: Used to synchronize Waldo calendar to Outlook calendar.
When you enable "add emergency skills to users":
- Chat.Create: Used to message contacts with emergency skills via Teams.
- ChatMessage.Send: Used to message contacts with emergency skills via Teams.
When you enable "allow Teams Group Chat with Calendar Messages":
- Chat.Read: Used to sync day messages with Teams
When you enable "filter users based on their license or their Azure Groups"
- Directory.Read.All: Used to filter users in admin portal with Azure Groups.
More details at https://admin.hellowaldo.app/consent
4 - How to grant consent.
You can refer to this article: https://customer.hellowaldo.app/en/support/solutions/articles/8000096278-need-admin-approval-grant-admin-consent