The system requests broad read/write access. What does this allow?
Copious documentation on Directory.ReadWrite.All can be found here including what can (and cannot) be done: https://learn.microsoft.com/en-us/graph/permissions-reference#remarks-5.
In general, this allows access to create/modify user and group info, license assignment, and a variety of other things. The granularity of the Graph permission regime is such that in order to do all the necessary actions for our service provisioning and operation the permissions we require reduce to the Directory.ReadWrite.All.
We also obtain Teams Administrator permissions to make changes specifically in Teams (e.g., creating voice routing policies and assigning to users).
What are NOT allowed?
The list of things that are not available (or can’t be done) include:
Credentials. Directory.ReadWrite.All does not allow resetting passwords. Furthermore, Microsoft Graph does not expose any password info, hashed or otherwise. We don’t store any Microsoft credentials, ever.
Deleting. Directory.ReadWrite.All does not allow deleting any resources, including Users and Groups.
Security settings. Directory.ReadWrite.All does not permit changes regarding security settings or other permissions, nor does it allow granting of any access to anyone/anything else.
Why does ConnecttoTeams need these permissions?
There are two general areas where these permissions are required: Direct Routing setup and ongoing user phone assignment/management. All these actions require an active Admin Session (authenticated directly with Microsoft) unless a specific additional grant has been made to allow Application permissions.
Direct Routing Setup
We create a domain in Teams (the “direct routing domain”) such as
cust1234.sbc.connecttoteams.comand validate this via our DNS to Microsoft’s satisfaction. This is done via Graph API.We create a user named “Direct Routing User” on that domain with UPN
[email protected]and assign Phone System and Teams licenses (also via Graph API). This user does not need login capability. It is only needed to “anchor” the DR domain, and the licensing is required by Microsoft for setting up the rest of the elements. Once Direct Routing setup is complete, the licenses can be reclaimed (but the Direct Routing user must remain).We then configure voice routes, PSTN Usages, Dial Plan/Rules, and voice routing policy in Teams to complete the necessary voice route setup. These steps are completed using powershell using authentication derived from the Admin User session via delegated authority.
User Phone Management (ongoing)
We assign the phone number, Voice Routing Policy and Dial Plan Policy to a user via powershell.
We modify the Call answering settings for the user (if the customer choses to disable Teams Voicemail)
How can we monitor for Abnormal/Bad behavior?
Microsoft Entra logging will show the Initiator of any action, which would be one of the Enterprise Applications with permissions (such as “Connect to Teams Enterprise Provisioning Portal)”. These logs can be fed to Microsoft Log Analytics to allow you to alert on any action undertaken by the apps. See https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics. These actions should be infrequent.
Similarly, Teams allows you to enable logging via Microsoft Purview. See https://learn.microsoft.com/en-us/purview/audit-teams-audit-log-events?bc=%2Fmicrosoftteams%2Fbreadcrumb%2Ftoc.json&toc=%2Fmicrosoftteams%2Ftoc.json#turn-on-auditing-in-teams. These actions would be more frequent.