What is Thread? A Beginner's Guide

Setting Up Your Thread Workspace

Configure Status Mapping in Thread

Pod Configuration in ConnectWise PSA

How to use Thread Pods in ConnectWise PSA

How to Setup ConnectWise PSA Ticketing Integration

Connectwise Permissions Overview

How to Setup Autotask Ticketing Integration

How to Enable Chat and Timepad Insights in Autotask

Setting up an Email Communication Workflow in Autotask

How to Setup HaloPSA Ticketing Integration

Action Mapping Configuration with Thread

Exploring Your Response Options in Halo

Frequently Asked Questions (FAQ)

Auvik

CloudRadial

ConnectWise Automate

ITGlue

TimeZest

Configuring Auto Prioritization

Configuring Auto Categorization

Configuring Ticket Type Categorization

Magic Recap Template Library

Getting Started with Magic Recap

Configuring Magic Title

Magic Title Rule Creation Guide

Flows and Views for Sentiment

Configure Magic Sentiment

Setting up Triage Agent

Introducing Your Service Catalog

Create Your First Intents with Triage Agents

Trigger Powerful Automations with Magic Agents

Intent Creation Assistance

Automate Approvals with Magic Agents

Creating a Workflow to Track Magic Agent Activity

Setting Up Email Support for Magic Agents and Inbox

Getting Started with Triage Agent

Contact Mapping

Voice AI FAQ

How to Set Up and Configure a Voice AI

Configure Reminder Agent

How to use Reminder Agent

Contact Intelligence Overview

Contact Intelligence FAQ

Configure and Personalize Messenger

Create Your Custom Chat App

Deploy and Test Your Custom Chat App

Deploying Messenger

What is the Teams Service App for Customers?

Design a Custom Teams App for Your Customers

How to Deploy the Teams Service App

Embedding CloudRadial in Your Teams App

Cloning a Legacy Teams App

How to Roll Out the Teams Service App to Specific Users

Microsoft Teams 2.0 FAQs

How to Upgrade your Legacy Teams App

How Do I Upload a Teams App Banner?

How to Uninstall the Microsoft Teams Service App

How to Test the Slack Service App in a Sandbox Environment

How to Deploy the Slack Service App to a Customer

Deploying Messenger to Mac

Windows Deploying Messenger via Command Line

How to Deploy Desktop Messenger with SSO

Embedding the Messenger "Chat Bubble" on Your Website

Messenger Portal Auto Authentication

Embedding Messenger on a Landing Page

Standard Chat vs. Chat with SLAs: What's the difference?

How to Override Messenger Branding and Configuration for a Customer

How Configurations and Assets Work in Messenger Chat

Messenger Internationalization (English & French)

Allow New Contacts to Open Chats in Messenger

How to Set Up Support Business Hours in Messenger

How to Disable a Client's Messenger Access

How Do Customers Use Messenger Chat?

Where Can I Find My Thread App ID?

Show all tickets in Chat option plus Excluded Board & Source

How to Add a "Chat Now" Button to Ticket Email Notifications in Your PSA

Create Your First Views

How to Setup Single Sign-on (SSO)

What are Views and Insights?

Avatars

Inbox: Getting Started

Inside Views

Navigating a Thread

Thread Control Panel

Notifications

How to Set Up an On-Call Member to Be Assigned

Creating a Flow to Send a Holiday Out-of-Office Message

How to Setup a SmileBack CSAT Survey

Thread Planner: How-To Guides and FAQs

Save Time Answering Chats with Snippets

How to Create an Email Signature Using Snippets

How to Track Your Time in Inbox

Sending Attachments with Inbox

Accessing & Installing Inbox

Can I Customize the Style of My Messages?

What Shortcuts Can I Use in Inbox?

Managing Members in Thread

Flows

Messenger

Clients

Members

Workspace

Status Automations

Plans & Licenses

Approvals in Inbox

How to Set Up User-Defined Fields (UDFs) in Autotask for Approvals

Inbox Teams

Installing the Internal-Facing Companion App for Teams

Troubleshooting "You Don't Have Permission" Error in Teams

How to Use the Slack Companion App for Service Teams

Installing the Internal-Facing Inbox Companion App for Slack

Craft your White Labeled Thread Customer Rollout Campaign

Can I Get a Custom Teams or Slack Support App?

Multi-Language and Internationalization Support

How Notifications Work for your Customers

How to Manage Your Inbox Notifications

How Notifications Work for your Team

AI Privacy & Security Overview

Data & Encryption

What if my organization has IP or domain restrictions?

List of Sub-Processors

Accessing Thread invoice history and billing information

Microsoft Teams App Permissions

Slack Permissions Guide

All Categories > Security & Billing > Microsoft Teams App Permissions

Microsoft Teams App Permissions

Updated 11 hours ago by Jake Gipson

Microsoft Teams App Permissions

Concept

Thread installs a single enterprise application in Microsoft Entra ID to power all Teams and SSO functionality. Admin consent is required once during onboarding. Thread uses Delegated permissions during initial setup and Application permissions for ongoing operations, ensuring users are never prompted for permissions after the initial configuration.

Overview

Thread integrates deeply with Microsoft 365 through two connected applications that provide a seamless experience between Teams and Thread Inbox:

Service App: Installed in your clients' Teams environment, allowing end-users to chat with your service team and submit tickets.
Companion App: Installed in your internal Teams environment, allowing technicians to receive notifications and manage workflows.

All permissions, sign-in behaviors, and Graph API access flow through one central Entra ID application.

Why Thread Needs Permissions

Thread uses Microsoft Graph to perform secure, automated actions. These permissions are required to:

Install the Thread Teams app for users.
Enable secure Microsoft SSO for technicians and clients.
Power file sharing, message routing, and chat-based workflows.
Ensure the integration stays active without being tied to a specific individual's admin account.

Types of Permissions

Delegated Permissions: Used primarily during onboarding to bootstrap tenant-level setup and upload the app to your catalog. These act "as the admin" during the initial configuration.
Application Permissions: Used for ongoing operations. These allow Thread to run Teams actions and access Microsoft Graph independently, ensuring stability even if the original admin account is deactivated.
Microsoft Single Sign-On (SSO): Thread uses your Microsoft 365 identity for secure login. It only requests permissions already granted to the enterprise app to ensure a seamless experience.

Permissions Reference Table

Each permission below is requested through Microsoft Graph using the principle of least privilege.

Permission	Type	Purpose / What it Allows	Used By
AppCatalog.Read.All	Application	Validates if the Thread Service App is already installed in the organization's catalog.	Service App
AppCatalog.ReadWrite.All	Delegated	Uploads, updates, or removes Thread apps in the Teams catalog.	Service App
Channel.Create	Application	Creates Teams channels for dynamic or automated workflows (e.g., per-ticket flows).	Companion App
Channel.Delete.All	Application	Automatically deletes temporary or dynamic channels when a Thread is closed.	Companion App
Channel.ReadBasic.All	Application	Identifies existing channels and routes messages correctly for workflows.	Companion App
Chat.Create	Application	Starts new 1:1 or group chats between members, contacts, or automations.	Service App
Chat.ReadWrite.All	Application	Enables full chat functionality (sending/editing messages) between Thread and Teams.	Service App
ChatMember.ReadWrite.All	Application	Manages participants by adding or removing the correct users from chats.	Service App
ChatMessage.Read.All	Application	Reads chat messages to detect file attachments (required for display inside Thread).	Service App
Domain.Read.All	Application	Reads domain info to assign default domains to dummy users (required for iOS/mobile compatibility).	Service App
email	Delegated	Reads the user's primary email address for identity and account linking.	Both
Files.Read.All	Application	Allows viewing and attaching Microsoft 365 files within Thread Inbox/PSA tickets.	Service App
Group.Read.All	Application	Enables SSO and helps Thread understand team structure and membership.	Companion App
offline_access	Delegated	Maintains continuous access to data without requiring repeated re-authentication.	Both
openid	Delegated	Required for Microsoft SSO; allows users to sign in with basic profile info.	Both
Organization.Read.All	App/Del	Retrieves tenant metadata to validate configuration during and after onboarding.	Both
profile	Delegated	Accesses basic profile data (name, picture, username) for SSO accuracy.	Both
Sites.Read.All	Application	Downloads files from SharePoint for sharing between Teams and Thread.	Service App
Team.ReadBasic.All	Application	Identifies Teams your users belong to (for future Flow functionality).	Companion App
TeamsAppInstallation.ReadWriteAndConsentForChat	Application	Automatically installs Thread Service Apps into Teams group chats.	Service App
User.Read	Delegated	Required for basic Microsoft SSO authentication.	Both
User.Read.All	Delegated	Retrieves user details and avatars to map Teams users to Thread users.	Both
User.ReadWrite.All	Application	Creates dummy members for group chats when needed for mobile compatibility.	Service App

How did we do?

(opens in a new tab)

Microsoft Teams App Permissions

Microsoft Teams App Permissions

Concept

Overview

Why Thread Needs Permissions

Types of Permissions

Permissions Reference Table

How did we do?

Related Articles Installing the Internal-Facing Companion App for Teams How to Deploy the Teams Service App Troubleshooting "You Don't Have Permission" Error in Teams

Contact

Related Articles

Installing the Internal-Facing Companion App for Teams

How to Deploy the Teams Service App

Troubleshooting "You Don't Have Permission" Error in Teams