The following are API permissions requested by the ServiceNow integration with Microsoft Teams. It is organized per app in the "Install Azure Apps" page available with the Microsoft Teams integration. For more information on Microsoft's delegated vs application permissions, see Microsoft's documentation here. 

Virtual Agent for Microsoft Teams

A pop-up explaining the necessary permissions will appear during installation. 

1) offline_access (Delegated) - Maintain access to data you have given it access to. 

2) User.Read (Delegated) - Sign in and read user profile

3) openid (Delegated) - Sign users in

4) email (Delegated) - View users' email address

5) profile (Delegated) - View users' basic profile

Notify for Microsoft Teams

Calling capabilities are done on behalf of a bot, rather than an individual. All the permissions are Application permissions, allowing our bot the necessary permissions to create meetings, add participants, and read call details.

1) Users.Read.All (Application) This allows the app to get the details of the users, such as their Azure ID, which is required to start the meeting.

2) OnlineMeetings.ReadWrite.All (Application) This permission is required to initiate an online meeting.

3) Calls.InitiateGroupCall.All (Application) This permission is required to invite multiple participants to a call on behalf of a Bot.

4) Calls.JoinGroupCall.All (Application) This permission allows the bot to join the meeting as a participant. In order to read call details, the bot must first be a meeting participant.

5) TeamsAppInstallation.ReadWriteForChat.All (Application) This permission is required to add our app to an online meeting, as part of Meeting Extensibility.

6) TeamsTab.ReadWriteForChat.All (Application) This permission allows our app to open a tab with incident details within a meeting, as part of Meeting Extensibility.

Request Based Chat

1) Offline_access (delegated) ServiceNow stores an access token for each user, which allows them to re-authenticate with ServiceNow, within Microsoft Teams, without having to go through a login prompt. Offline access allows us to automatically refresh the access token.

2) Chat.ReadWrite (delegated) The Read part of the Chat.ReadWrite permission allows us to import request-based chats from Microsoft Teams. The Write part of the Chat.ReadWrite permission is used in the “Start Chat” screen, where an opening message is provided on behalf of the agent.

3) User.Read (delegated) This permission is automatically added whenever an app is created to read the basic information of the user like name, email-id.

4) User.ReadBasic.All (delegated) This permission is required to obtain the names and Azure ID’s of users. ServiceNow stores the Azure ID in order to create chats on behalf of users and import chats on their behalf.

5) Files.Read.All (delegated) This permission is used when importing request-based chats from Microsoft Teams. It allows attachments to be imported, as part of the Teams chat.

6) ChatMember.ReadWrite (delegated) When a request with a Teams chat is set to inactive, participants are automatically removed from the corresponding chat. This permission is required to remove the chat participants.

7) Chat.Create (delegated) This permission is used in the creation of request-based chats.

8. Chat.ReadBasic (delegated) This permission is used when importing request-based chats. It allows us to display which participant sent each message in the chat.

Additional note regarding Files.Read.All (delegated) - The integration doesn't have access to any files that an Agent doesn't already have access to in the Teams client (hence them only being able to import chats that they're a part of). We also disable the Import capability if someone is impersonating within ServiceNow so that they can't do something nefarious like impersonating an admin to gain access to other files.

Tab SSO

1) User.Read (delegated) This permission enables the user to authenticate into a ServiceNow Portal embedded in Microsoft Teams.

2) Offline_access (delegated) This permission is required for the use of Tab SSO, to enable user authentication with a Microsoft Teams tab.

For more information, see Microsoft's Tab SSO Documentation.