Office 365 Permissions and Explanations
Place.Read.All
Read all company places Place.Read.All.
What access does it grant to Lens?
This permission allows Lens to query the list of Room Calendars you’ve defined in your Office 365 Account. See additional information on Office 365 room mailboxes.
What information does this allow Lens to view?
Lens views the display name of the room and the email address of the calendar assigned to the room that was configured in the Office 365 account.
- Permission scope: all room properties this grant exposes are listed here.
- Lens usage scope: only the [id, emailAddress, displayName] properties are requested by Lens.
Why does Lens request this permission?
Lens makes this request to Office 365 to populate a dropdown list of room calendars so the Lens user can select the appropriate calendar when associating it with a Lens Room.
- Lens persistence: this data is not stored in Lens.
Can I revoke this permission?
Yes.
-
Impact: if revoked, the dropdown list will not be populated by available room calendars in the Lens interface. A user must manually enter a calendar address in the Lens interface to associate a calendar to a Lens room and Lens will not be able to verify the address entered by the user is valid.
Calendars.Read
Read calendars in all mailboxes Calendars.Read.
What access does it grant to Lens?
This permission allows Lens to read all details of calendar events for calendars in your organization.
- Lens will NEVER attempt to view any calendar in your Office 365 account that you have not explicitly associated to a room in your Lens account.
- This permission can be further restricted using additional controls to limit the specific calendars that Lens can access (see below).
What information does this allow Lens to view?
- Permission scope: all calendar event properties this grant exposes are listed here.
- Lens usage scope: only the [id,uid,start,end,body,createdDateTime,lastModifiedDateTime,changeKey,transactionId,originalStartTimeZone,originalEndTimeZone,isCancelled,subject,bodyPreview,isAllDay,seriesMasterId,type,webLink,onlineMeetingUrl,isOnlineMeeting,onlineMeetingProvider,onlineMeeting,occurrenceId,recurrence,exceptionOccurrences,cancelledOccurrences,instances,attendees,organizer,extensions] properties are requested by Lens.
- Lens requests the event body to scan for online meeting providers such as Microsoft Teams or Zoom by detecting meeting invitations to provide provider usage insights to the customer. The content of the body is not stored and is discarded immediately.
- Lens uses requests the event organizer and attendees to make a participant count for room usage insights and attendance meeting rates for the Lens customer. The participant’s names and email addresses are not stored and are discarded immediately. The organizer (name and email) is retained to be displayed on the Lens interface so the meeting owner can be ascertained by the Lens user.
Why does Lens request this permission?
Lens uses this permission to generate powerful insights on average meeting headcounts, meeting run time, meetings that started late, statistics on rooms hosting unscheduled meetings, statistics on no-show meetings, room utilization and capacity analysis, and online meeting provider usage. Additional insights will be added in the future.
- Lens persistence: sensitive data [body, subject, meeting attendees] is discarded immediately and not stored in Lens. Only non-sensitive data [id,type,start,end,recurrence,instances,headcounts] are stored for insight generation. The organizer is retained to be displayed on the Lens interface so the meeting owner can be ascertained by the Lens user.
Can I revoke this permission?
Yes, but only if Calendar.ReadBasic.All is not revoked.
- Impact: if revoked, room insights that Lens generates will be reduced. No insights for meeting headcounts, meeting participant headcounts in relation to room capacity, or meeting provider usage will be available.
Calendars.ReadBasic.All
Read basic details of calendars in all mailboxes Calendars.ReadBasic.All.
What access does it grant to Lens?
This permission allows Lens to read basic details of calendar events for calendars in your organization. It exposes only a subset of properties that the Calendars.Read permission exposes.
What information does this allow Lens to view?
- Permission scope: the calendar event properties listed here, excluding [body,bodyPreview,subject,webLink,onlineMeetingUrl,onlineMeetingProvider,onlineMeeting,attendees,organizer, extensions]
- Lens usage scope: only the [id,uid,start,end,createdDateTime,lastModifiedDateTime,changeKey,transactionId,originalStartTimeZone,originalEndTimeZone,isCancelled,isAllDay,seriesMasterId,type,occurrenceId,recurrence,exceptionOccurrences,cancelledOccurrences,instances] properties are requested by Lens.
Why does Lens request this permission?
Lens uses this permission to generate basic insights on meeting run time, meetings that started late, statistics on rooms hosting unscheduled meetings, statistics on no-show meetings and basic room utilization analysis. More advanced insights will be generated through the Calendars.Read permission.
- Lens persistence: only non-sensitive data [id,type,start,end,recurrence,instances] are stored for insight generation.
Can I revoke this permission?
No.
User.Read
Sign in and read user profile User.Read.
What access does it grant to Lens?
This permission is required by Microsoft to perform the initial integration.
What information does this allow Lens to view?
Used by Microsoft and Lens to determine whether or not the Office 365 account used to perform the initial integration is a global admin or not. If not a global admin it will be automatically rejected by Microsoft.
Why does Lens request this permission?
Lens does not request this permission. It is automatically appended by Microsoft and provides Lens with no information.
Can I revoke this permission?
No.
Additional Controls
Revoking Lens Permissions After Initial Integration
Note: this will cause side effects or completely break the integration based on which permissions get revoked
Limiting Lens Access to Specific Mailboxes
Note: Lens will not attempt to access any mailbox that was not explicitly associated to a Room by the customer