High level architectural flows and official security statements regarding the MS Teams Calling integration
MS Teams Calling Integration and Security
Deployment
| Number | Description |
|---|---|
| 1 | User Authorization |
| 2 | User Token |
| 3 | User Token |
| 4 | Get Data For Display On Tab (User Token) |
| 5 | Get Data Through Graph APIs (User Token) |
Notes
The MS Teams Client contains the Webex Call Plugin.
The Bot/App Service is a Cisco service that is used exclusively for MS Teams Webex Call Plugin integration.
Before using the integration, every user must authorize the app.
Whenever the user goes to the Call tab, the plugin must call a few Graph APIs (using the back-end service) to show speed dials, etc.
Microsoft Graph APIs called
- https://graph.microsoft.com/v1.0/me/extensions/{extensionId}
- https://graph.microsoft.com/v1.0/me
- https://graph.microsoft.com/v1.0/me/contacts
- https://graph.microsoft.com/v1.0/me/contacts/{contactId}
- https://graph.microsoft.com/v1.0/users/{userId}
- https://graph.microsoft.com/v1.0/users
- https://graph.microsoft.com/beta/me/chats/{chatId}/members
The Graph API Call fails if the user has not authorized, because the back-end service does not have a valid token to call the Graph APIs.
No user data is stored in logs or databases.
The Webex call app in Teams uses HTTPS to communicate with the Cisco Cloud.
Permissions
Permissions requested by Microsoft
The following lists the permissions required by Microsoft:
These permissions correspond to the following API Permission names.
 | For more information on Microsoft Graph permissions, including a
full description of permission strings, see https://docs.microsoft.com/en-us/graph/permissions-reference. |
|
Permission Name |
Reason |
|---|---|
|
ChannelMember.Read.All |
Read the members of channels that are used by 1:1 calling in channel |
|
Chat.ReadBasic |
Read names and members of user chat threads used by 1:1 calling when in a chat with a user |
|
Contacts.Read |
Read user contacts to show user contacts when dialing or adding speed dial |
|
offline_access |
User won't be asked to reauthorize every time they select the tab |
|
User.Read |
Sign in and read user profile to know current user details |
|
User.Read.All |
Read all users' full profiles to fetch different users avatars, details in speed dials |
|
User.ReadWrite |
Read and write access to user profile to save speed dials |
|
Presence.ReadWrite |
Read and write presence information for all users |
|
Presence.Read.All |
Read presence information of all users in your organization |
Permissions requested by Webex
The following lists the permissions required by Webex:
|
Permission Name |
Reason |
|---|---|
|
calls_write |
Allow users to invoke call commands on themselves. |
|
all |
Full access to Webex Teams account |
|
config |
Configuration Management |
|
calls_read |
List all calls for rooms you are part of |
|
xsi |
Access to your Webex Calling resources |
|
organizations_read |
Access to read your user’s organization |
|
User SCIM |
User/Group management |
