Microsoft 365 Permissions Requested by Webex
Webex Scheduler Authorization Permissions for Tenant Administrators
When you add an authorization for Webex to a Microsoft tenant, we request the following permissions:
The following table describes each permission and why it's required.
Permission name |
Claim value |
Permission type |
What information does this give Webex access to? |
How is this permission used for Webex Meetings? |
---|---|---|---|---|
Read and write calendars in all mailboxes. |
Calendars.ReadWrite |
Application |
Microsoft 365 add-in to schedule a meeting, Webex app scheduling/list meeting, Microsoft Teams integration, and Calendar Services scheduling (@webex). |
|
Read directory data. |
Directory.Read.All |
Application |
Required for the People Insights feature and Microsoft Teams integration. |
|
Sign in and read user profile. |
openid |
Delegated |
Automatically included permission required for the Webex Meetings integration to function properly. |
|
View users' basic profile |
profile |
Delegated |
Automatically included permission required for the Webex Meetings integration to function properly. |
|
Read all users’ full profiles. |
User.Read.All |
Application |
Required for the People Insights feature and Microsoft Teams integration. |
|
Webex Scheduler Authorization Permissions for Individual Microsoft 365 Accounts
When you authorize Webex for an individual Microsoft 365 account, we request the following permissions:
The following table describes each permission and why it's required.
Permission |
Claim value |
What information does this give Webex access to? |
How is this permission used for Webex Meetings? |
---|---|---|---|
Maintain access to data you have given it access to. |
offline_access |
Allows Webex to access users information in Microsoft without asking for the same permission each time a user performs an action with Webex Meetings integration in Microsoft. |
|
Have full access to your calendars. |
Calendars.ReadWrite |
Read events in user calendars. |
Read calendar events associated with Webex Meetings, as well as the event properties, like time, attendees, subject, and Webex meeting options. |
Sign you in and read your profile. |
User.Read |
Automatically included permission required for the Webex Meetings integration to function properly. |
|
Webex Scheduler Architecture Overview
The above diagram shows the site admin and individual authorization scenarios for Webex Meetings from Microsoft 365.
-
The site administrator authorizes Webex to access Microsoft 365 administrator tenant data from Cisco Webex Site Administration or Control Hub (optional).
-
An individual authorizes permission for Webex (if admin doesn’t authorize) and connects their Microsoft account with their Webex account.
-
Webex subscribes to calendar changes from Microsoft.
-
A user adds a Webex meeting to a Microsoft Calendar event, updates the time or topic, or copies an event to another date and time.
-
The Webex add-in service receives Microsoft Calendar notifications and syncs data with Webex.
APIs Used by the Webex Scheduler
The list below provides information on the source file and URL for some of the APIs used by the Webex Scheduler.
Graph Operation |
Usage |
---|---|
Create subscription for a specific user to listen and receive change notifications when calendar resource is changed in Microsoft Graph. | |
Delete a subscription when user signs out or exceeds expiry time. | |
Get access token of specific tenant ID with Add-in certificate as a credential (in admin authorization mode). | |
Get access token of a specific user with refresh token (in admin authorization mode). | |
Get graph event properties by event ID. | |
Get occurrence/exception instances by event ID with given time range. | |
Get proxy email address for a specific user. | |
Get subscription properties by ID. | |
Get user's proxy address (in individual authorization mode). | |
List events of a specific user. | |
Renew subscription for a specific user by extending their expiry time. | |
Retrieve the Microsoft UPN to maintain user mapping in Webex. | |
To identify if current user's email address from client belongs to the authorized organization. | |