WATCH VIDEO: These instructions are also available in video form here. Once you see it being presented the instructions below will feel more intuitive.
ConnecttoTeams performs certain limited tasks with the Microsoft Global Administrators' consent. These allow for automated provisioning via PowerShell of Direct Routing, User Calling activation and Teams Application setup in Microsoft.
The initial request when the Microsoft Enterprise Global Administrator is asked for permission looks like this:
ConnecttoTeams requires the Microsoft Global Admin to grant the Permissions that are shown above and explained below. With the Consent selected, delegated authorization can be granted to other Microsoft users in the tenant. Specifically, to allow users having the Teams Administrator role to be able to act as enterprise admin in the ConnecttoTeams Enterprise Portal.
Permission flow is as follows:
During enterprise registration, Global Admin credentials are required for the first sign in to the EPP (Registration - pictured above).
The ConnecttoTeams Enterprise Portal will ask for the following permissions that require Microsoft Global Admin consent before they can be used by non-Global Admin Users:
Permissions | Purposes |
Access Microsoft Teams and Skype for Business data as the signed in user | Allows the app to have the same access to information in the directory as the signed-in user. |
Read and write directory data | Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. |
Access the directory as you | Allows the app to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. |
Manage your installed Teams apps | Allow the app to install and delete the Teams Application (Azure Enterprise Application) you build to extend the PBX into Teams. |
Read organization information | Allows the app to read the organization and related resources, on behalf of the signed-in user. related resources include things like subscribed SKUs and tenant branding information |
Read and write all users' full profiles | Allows the app to read and write the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. |
Maintain access to data you have given it access to | Allows the permission to access data to persist beyond the current login session. |
Full access to the Skype Remote Powershell | Allow the application full access to the Skype Remote Powershell Azure services to provision Direct Routing and Teams Users on behalf of the signed-in user. |
After this initial set of permissions is granted, the Microsoft Global Admin will be prompted to log in again. A second set of application Permissions will appear:
Read all users' full profiles | Allows the app to read user profiles without a signed in user. |
Sign in and read user profile | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
Once you grant these Permissions you, will be logged into the ConnecttoTeams Enterprise Portal.
Additional Permissions
1. Contact Service
This is optional. This will sync Outlook and Microsoft Organization contacts with mobile numbers to a Teams user. Providing permission to access contacts enables the PBX Connector, CallApp and the SMS to show the contact names instead of phone numbers when a contact match is found.
.png?sv=2022-11-02&spr=https&st=2025-06-27T17%3A26%3A50Z&se=2025-06-27T17%3A43%3A50Z&sr=c&sp=r&sig=6QvdmHDgkoaI2FOtyi2tWYSuB5QQxukqFMNGosaGckY%3D "image(195).png")
2. Presence Sync Permissions
If the enterprise plans on using the presence sync option, they will also need to grant the permission described here.
In the ConnecttoTeams Enterprise Portal, certain tasks can be performed by the Microsoft Global Admin only and some tasks can performed by Teams users with Teams Administrator role.
The table below demonstrates which credentials have what authority:
| Microsoft Global Admin | Microsoft Teams Service Admin & Skype Admin (both) |
Initial Enterprise Reg. | YES | NO |
Setup Direct Routing | YES | NO |
Setup/Manage PBX | YES | YES |
Setup/Manage TM Users | YES | YES |
Add/Delete Teams App | YES | NO |
Setup/Manage End User Portal | YES | YES |
Setup/Manage Feature Codes | YES | YES |
In case Global Admin does not consent on the organization’s behalf, subsequent logins will fail for non-Global Admin Users.
Once Microsoft Global Admin has granted consent, logins by Teams Service Admin/Skype for Business Admin User to Enterprise Portal will not be required to consent to further permissions.
3. Consent to Allow Management by Service Provider
With the release of ConnecttoTeams 2.6.0, Enterprise Admin can grant consent for the service provider to perform Enterprise Provisioning actions.
ConnecttoTeams requires the Microsoft Global Admin to grant the Permissions shown and explained below.
.png?sv=2022-11-02&spr=https&st=2025-06-27T17%3A26%3A50Z&se=2025-06-27T17%3A43%3A50Z&sr=c&sp=r&sig=6QvdmHDgkoaI2FOtyi2tWYSuB5QQxukqFMNGosaGckY%3D "image(197).png")
Permissions | Purposes |
Allow the Teams app to manage only its own tabs for all users | Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any user, without a signed-in user. |
Allow the Teams app to manage only its own tabs for all teams
| Allows a Teams app to read, install, upgrade, and uninstall its own tabs in any team, without a signed-in user. |
Read and write to all app catalogs | Allows the app to create, read, update, and delete apps in the app catalogs without a signed-in user. |
Send a teamwork activity to any user
| Allows the app to create new notifications in users' teamwork activity feeds without a signed in user. These notifications may not be discoverable or be held or governed by compliance policies. |
Read and write organization information | Allows the app to read and write the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information. |
Read and write all users' full profiles | Allows the app to read and update user profiles without a signed in user. |
Read and write domains | Allows the app to read and write all domain properties without a signed in user. Also allows the app to add, verify and remove domains.
|
Read all users' teamwork activity feed | Allows the app to read all users' teamwork activity feed, without a signed-in user.
|
Deliver and manage all user's notifications
| Allows the app to send, read, update and delete user’s notifications, without a signed-in user.
|
Create channels | Create channels in any team, without a signed-in user. |
Delete channels | Delete channels in any team, without a signed-in user. |
Read and write the names, descriptions, and settings of all channels | Read and write the names, descriptions, and settings of all channels, without a signed-in user. |
Get a list of all teams | Get a list of all teams, without a signed-in user. |
Read and change all teams' settings
| Read and change all teams' settings, without a signed-in user. |
Add and remove members from all channels | Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner.
|
Manage Teams apps for all teams
| Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. |
Manage Teams apps for all users | Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. |
Allow the Teams app to manage itself for all teams | Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user.
|
Allow the app to manage itself for all users
| Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. |
Create teams | Allows the app to create teams without a signed-in user.
|
Add and remove members with non-owner role for all teams | Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role.
|
Sign in and read user profile | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
In the second step, Enterprise Admin needs to grant consent to the ConnecttoTeams RBAC Management App. The permissions consented below are only used by the logged-in Enterprise Admin to set up the grants for the Enterprise Management which are requested in the first step.
.png?sv=2022-11-02&spr=https&st=2025-06-27T17%3A26%3A50Z&se=2025-06-27T17%3A43%3A50Z&sr=c&sp=r&sig=6QvdmHDgkoaI2FOtyi2tWYSuB5QQxukqFMNGosaGckY%3D "image(202).png")
4. Debug Call Consent
Additional permission will be requested from the Enterprise Admin for the ConnecttoTeams CDR Application on the enterprise dashboard, as well as when the service provider clicks "Debug Call" from the Service Portal dashboard. This allow for service provider to help investigate call issues.
Read all call records | Allows the app to read call records for all calls and online meetings without a signed-in user. |
Read PSTN and direct routing call log data | Allows the app to read all PSTN and direct routing call log data without a signed-in user. |
This permission is optional but gives ConnecttoTeams more power to help with troubleshooting.
Suggested Further Reading
For interactive searching of permissions, see Permissions Viewer.
To know more about allowing non-Global Admins to be enterprise admins in the ConnecttoTeams Service Portal, click here.