Application Consent During Teams Cloud Voice Onboarding

This document outlines the permissions requested during the onboarding process for UniVoIP service management application, called Service Control.

Service Control is a comprehensive service management platform developed by UniVoIP. It is designed to streamline the user experience with a modern and responsive interface. The platform includes several key applets that handle tasks like procuring, activating, and assigning telephone numbers to Teams users. UniVoIP Service Control also includes a number management tool for efficient onboarding and service management.

UniVoIP Service Control offers various access levels and permission capabilities to ensure secure and efficient service management. It provides different access levels based on user roles, allowing administrators full access while regular users have limited access. The platform includes granular permission settings, enabling control over viewing, editing, and managing services.

Below are details corresponding to each of the three applications involved in the onboarding workflow:

  • Cloud Voice for Teams Sign In Application
  • Cloud Voice for Teams Management Application
  • Cloud Voice for Teams Onboarding Application

All onboarding and management actions within a customer’s Microsoft tenant are completed using one or more of these applications. All such actions are recorded in the Microsoft tenants Entra audit log. Customer can check these activities anytime within Microsoft Entra's audit log.

Cloud Voice for Teams Sign In Application

The Sign In Application is the first of the three applications installed during the onboarding workflow. This Application is responsible for ensuring that users can sign in to UniVoIP Service Control seamlessly using their Microsoft credentials. This Application requires read permissions to access user profiles and validate users. Once the consent is provided, the Sign in application facilitates the single sign-on process, making it easier for users to access various services without needing to log in multiple times. The permission requested is presented as shown below before consent is provided.

Below details permission to be granted to the Sign In App:

  • Maintain access to data you have given it access to

Allows the Application to see and update the data you gave it access to, even when users are not currently using the app. This does not give the Application any additional permissions.

Note: Used to maintain session of logged in user using refresh tokens.

  • Sign in and read user profile

Allows the Application to see and update the data you gave it access to, even when users are not currently using the app. This does not give the Application any additional permissions.

Note: This is used to validate user and tenant details for trial landing page. Also used to allow single sign on with tenant users.

Cloud Voice for Teams Management Application

The Management Application is the second of three applications required for the onboarding process. It is responsible for assigning telephone numbers to users and managing other administrative tasks during onboarding and after the onboarding is completed.

The Management App is essential for tasks like managing and assigning telephone numbers to Teams resources. It ensures that these tasks are carried out efficiently and securely. The permission requested is presented as shown below before consent is provided.

Below details permission to be granted to the Management App:

  • Read and write all applications

Allows the Application to create, read, update and delete applications and service principal without a signed-in user. Does not allow management of consent grants.

Note: Used to remove Onboarding Application when initial integration is completed. No other use. After onboarding, tenant admin can revoke this specific permission from enterprise application definition without affecting day2 management.

  • Read all call records

Allows the application to read call records for all calls and online meetings without a signed-in user.

Note: Call Records are not currently accessed. Permission included for planned future functionality. Tenant admin can revoke this specific permission from enterprise application definition without affecting day2 management.

  • Read organization information

Allows the application to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information.

Notes: Required to confirm licensing as part of confirmations prior to starting onboarding, domain setup, and basic tenant troubleshooting when required. This permission is required for the Teams PowerShell Module application access to function: https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication#setup-application-based-authentication

  • Read and write all users' full profiles

Allows the application to read and update user profiles without a signed in user.

Note: Required to read and update outbound calling and dialing policies of user, required for phone number assignment and outbound routing.

  • Sign in and read user profile

Allows users to sign-in to the application, and allows the application to read the profile of signed-in users. It also allows the application to read basic company information of signed-in users.

Note: Default application permission included by Microsoft. Not stated in application manifest.

  • application_access

Grant appId full permission

Note: Allows for application access to the Teams PowerShell module and graph resources. This allows the application to function independently of individual users or ‘service accounts’.  These types are accounts are prone to becoming disabled or deleted when a person leaves the company.

Cloud Voice for Teams Onboarding Application

The Onboarding Application is the last of three applications required for the onboarding process. It is used during the onboarding phase only and is removed by the Management Application once the initial onboarding page is completed.

The Onboarding Application is responsible for creating voice domains, voice paths, temporary user to enable the voice paths, and other necessary configurations specific to Cloud Voice. After the onboarding process, any permissions granted to the Onboarding Application are removed as they will no longer be needed.

Below is a details list of permissions to be granted to the Onboarding Application:

  • Read and write domains

Allows the Application to read and write all domain properties without a signed in user.  Also allows the Application to add, verify and remove domains.

Note: Required to build and validate voice domains within tenant during initial onboarding.

  • Read and write all directory RBAC settings

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Note: Used to grant Management application the ‘Teams Administrator’ role required for Teams PowerShell voice management.

  • Sign in and read user profile

Allows users to sign-in to the application, and allows the Application to read the profile of signed-in users. It also allows the Application to read basic company information of signed-in users.

Note: Default Application permission included by Microsoft. Not stated in Application manifest.