Microsoft Graph Permissions Used by AB Projects
AB Projects integrates with Microsoft Teams and Outlook to provide collaborative task management and calendar scheduling. Below are the Microsoft Graph API permissions the app uses and why. The authoritative, current list is always what your Microsoft 365 administrator sees on the consent screen and in Microsoft Entra ID → App registrations → API permissions — if anything here differs, that is the source of truth.
| Permission | Type | Why AB Projects needs this |
|---|---|---|
| Calendars.ReadWrite | Delegated | Lets AB Projects create and update an Outlook calendar event for a task on your behalf when you sync a task to your calendar (time-blocking). Requested at sign-in so no extra consent prompt is needed later. |
| Channel.ReadBasic.All | Delegated | Reads basic Teams channel information so a project can be linked to the correct channel during tab setup and the channel context is shown correctly. |
| ChannelMessage.Read.All | Delegated | Reads messages in a Teams channel the app is used in, to relate channel thread activity to the corresponding task. |
| ChannelMessage.Read.All | Application | Lets the bot read channel thread replies without a signed-in user, so replies in a task's Teams thread can be synced back to the task as comments. |
| ChannelMessage.ReadWrite | Delegated | Allows reading and posting channel messages so task comments and changes can be posted into the task's Teams thread. |
| ChannelMessage.Send | Delegated | Posts the Adaptive Card to the linked channel when a comment is added or a task changes (including @mentions of selected members). |
| Delegated | Reads your email address to associate your Microsoft 365 identity with task assignments, comments, and calendar events. | |
| Group.Read.All | Delegated | Reads the Microsoft 365 groups / Teams you belong to. Used for project ↔ channel linking and for the automatic channel-roster sync that adds channel members to the project. |
| offline_access | Delegated | Allows refresh tokens so the app can keep working (e.g. calendar sync, background tasks) without prompting you to sign in again each time the access token expires. |
| openid | Delegated | Used for authentication and single sign-on (SSO) via the Microsoft Identity Platform within Teams and on the web. |
| profile | Delegated | Reads basic profile info (name, avatar) to personalize AB Projects and show task ownership clearly. |
| Team.ReadBasic.All | Delegated | Reads basic information about the Teams teams you belong to, so a project can be associated with the correct team/channel. |
| Teamwork.Migrate.All | Application | Supports Teams message import/migration scenarios via background jobs. This is an infrastructure-level capability and may not be exposed as a user-facing feature. |
| User.Read | Delegated | Required for sign-in and reading your Microsoft 365 profile. Essential for any app using Microsoft Identity. |
Why these permissions are needed
AB Projects uses these permissions to deliver its core functionality:
- Task creation, assignment, and commenting inside Microsoft Teams, with comments and changes posted to (and replies synced back from) the channel thread.
- Automatic project membership that follows the connected Teams channel roster.
- Scheduling a task into your Outlook calendar when you choose to.
- Sign-in and identity via Microsoft SSO (Microsoft Entra ID).
Most access is delegated — it acts as the signed-in user and is limited to what that user can already do. A small number of application permissions are used by the AB Projects bot to post task activity to the channel and to sync thread replies back to tasks without an interactive user. AB Projects does not request access to your mailbox contents or files, and it only writes to your calendar when you explicitly sync a task. Microsoft 365 administrators can review or revoke these permissions at any time in Microsoft Entra ID.