Microsoft 365 Permissions Requested by Webex

When you add an authorization for Webex to a Microsoft tenant, we request the following permissions:

The following table describes each permission and why it's required.

Permission	Claim value	What information does this give Webex access to?	How is this permission used for Webex Meetings?
Read all users’ full profiles.	User.Read.All	Required for the People Insights feature and Microsoft Teams integration.	Enables People Insights for Webex Meetings and Webex users. Identifies users and their email addresses so we can match users’ Webex accounts in the Cisco Webex Meetings bot and tab integration in Microsoft Teams.
Read directory data.	Directory.Read.All	Required for the People Insights feature and Microsoft Teams integration.	Allows People Insights to populate meeting participants' profiles in Webex Meetings and users' People Insights profiles in Webex from the directory. Allows Microsoft Teams integration to populate look-ahead of invitee emails when scheduling a Webex meeting.
Read and write calendars in all mailboxes.	Calendars.ReadWrite	Microsoft 365 add-in to schedule a meeting, Webex app scheduling/list meeting, Microsoft Teams integration, and Calendar Services scheduling (@webex).	Read and write access to create, update, and delete calendars associated with Webex Meetings. Allows scheduling from Microsoft Teams and add, update, and remove corresponding calendar entries.
Sign in and read user profile.	openid	Automatically included permission required for the Webex Meetings integration to function properly.	Allows Webex to identify users over time and access basic information.

When you authorize Webex for an individual Microsoft 365 account, we request the following permissions:

The following table describes each permission and why it's required.

Permission	Claim value	What information does this give Webex access to?	How is this permission used for Webex Meetings?
Maintain access to data you have given it access to.	offline_access	Allows Webex to access users information in Microsoft without asking for the same permission each time a user performs an action with Webex Meetings integration in Microsoft.	If your app doesn't explicitly request this scope, it won't receive refresh tokens. Maintaining the access is necessary. For example, Webex will call Microsoft APIs to retrieve information such as calendar invites whenever a user is viewing their calendar.
Have full access to your calendars.	Calendars.ReadWrite	Read events in user calendars.	Read calendar events associated with Webex Meetings, as well as the event properties, like time, attendees, subject, and Webex meeting options.
Sign you in and read your profile.	User.Read	Automatically included permission required for the Webex Meetings integration to function properly.	Allows Webex to identify users over time and access basic information.

The above diagram shows the site admin and individual authorization scenarios for Webex Meetings from Microsoft 365.

The site administrator authorizes Webex to access Microsoft 365 administrator tenant data from Cisco Webex Site Administration or Control Hub (optional).
An individual authorizes permission for Webex (if admin doesn’t authorize) and connects their Microsoft account with their Webex account.
Webex subscribes to calendar changes from Microsoft.
A user adds a Webex meeting to a Microsoft Calendar event, updates the time or topic, or copies an event to another date and time.
The Webex add-in service receives Microsoft Calendar notifications and syncs data with Webex.

The list below provides information on the source file and URL for some of the APIs used by the Webex Scheduler.

Graph Operation	Usage
POST /{version}/subscriptions	Create subscription for a specific user to listen and receive change notifications when calendar resource is changed in Microsoft Graph.
DELETE /{version}/subscriptions/{subscriptionId}	Delete a subscription when user signs out or exceeds expiry time.
POST /{tenantId}/oauth2/{version}/token	Get access token of specific tenant ID with Add-in certificate as a credential (in admin authorization mode).
POST /common/oauth2/{version}/token	Get access token of a specific user with refresh token (in admin authorization mode).
GET /{version}/users/{user}/events/{id}	Get graph event properties by event ID.
GET /{version}/users/{user}/events/{id}/instances	Get occurrence/exception instances by event ID with given time range.
GET /{version}/users?$select=email	Get proxy email address for a specific user.
GET /{version}/subscriptions/{subscriptionId}	Get subscription properties by ID.
GET /{version}/me	Get user's proxy address (in individual authorization mode).
GET /{version}/users/{user}/events	List events of a specific user.
PATCH /{version}/subscriptions/{subscriptionId}	Renew subscription for a specific user by extending their expiry time.
GET /{version}/users/{email}	Retrieve the Microsoft UPN to maintain user mapping in Webex.
GET /{version}/organization	To identify if current user's email address from client belongs to the authorized organization.