Microsoft Teams App Permissions
TL;DR
- Thread installs one enterprise app in Microsoft Entra ID for all Teams + SSO functionality.
- Admin consent is required once during onboarding.
- Thread uses Delegated permissions only during setup and Application permissions for all ongoing operations.
- If new Teams features require new Graph permissions, the admin will simply need to reauthorize the app.
- End users will never be prompted for permissions.
Overview
Thread integrates deeply with Microsoft Teams and Microsoft 365. To do that safely and reliably, your Microsoft Entra tenant installs a single enterprise application that handles:
- The Thread Teams app
- The Thread Companion app
- Thread’s Microsoft SSO
All permissions, sign-in behavior, and Graph API access flow through this one app.
This document explains what those permissions are and why they’re required.
Why Thread Needs Permissions
Thread uses Microsoft Graph to perform secure, automated actions inside your tenant.
Examples include:
- Installing the Thread Teams app for your users
- Allowing users to sign in with Microsoft SSO
- Enabling Inbox, Messenger, and other Teams-powered functionality
- Keeping bots and integrations active without tying them to any one admin account
Microsoft requires a tenant administrator to approve these capabilities — which is why onboarding includes an admin consent step.
Once approved, no user in your organization will see a permissions prompt again.
Types of Permissions Thread Uses
Thread uses two types of Microsoft Entra permissions to safely interact with your Teams environment: Delegated Permissions and Application Permissions. Each serves a different purpose in the integration. If the app ever needs additional permissions, only the tenant admin will be prompted — never end users.
Delegated Permissions
These permissions are granted once, during onboarding.
Used for:
- Installing Thread into your Teams app catalog
- Bootstrapping tenant-level setup
Delegated permissions act “as the admin” for a few setup tasks.
After that, Thread does not rely on a user account.
Application Permissions
After setup, Thread primarily uses application-level permissions, which allow the system to act as the Thread application itself.
Used for:
- Running all Teams actions
- Accessing Microsoft Graph without depending on any user
- Ensuring Thread continues working even if the original admin account changes or is deactivated
This is what keeps Thread stable and prevents repeated consent prompts for your users.
Microsoft Single Sign-On (SSO)
Thread uses Microsoft SSO so your users can sign in securely using their Microsoft 365 identity.
To avoid unnecessary prompts for your users:
- The SSO connector requests only the permissions already granted to the Thread enterprise app
- This ensures a seamless sign-in experience across Inbox, Messenger, and the Teams app
Permissions
Below is a complete list of permissions the Thread Teams integration requests, along with what each permission enables and why it’s required.
Permission | What It Allows | Why Thread Needs It |
AppCatalog.Read.All | View apps in the Teams app catalog | Validate whether Thread is installed in your tenant |
AppCatalog.ReadWrite.All | Add/update/remove apps | Install and update the Thread Teams app |
Channel.Create | Create Teams channels | Create channels for collaboration workflows |
Channel.Delete.All | Delete channels | Clean up channels created by automations |
Channel.ReadBasic.All | Read basic channel info | Identify existing channels and route messages correctly |
Chat.Create | Start new 1:1 or group chats | Enable chat-based workflows initiated from Thread |
Chat.ReadWrite.All | Read, send, and edit chat messages | Enable full chat functionality between Thread and Teams |
ChatMember.ReadWrite.All | Manage chat members | Add/remove the right participants in chats |
ChatMessage.Read.All | Read chat messages | Display chat context inside Thread |
Domain.Read.All | View tenant domains | Confirm tenant identity and match domains |
Access user email address | Match Microsoft users to Thread users | |
Files.Read.All | Read files users can access | Allow viewing/attaching Microsoft 365 files in Thread |
Group.Read.All | View Microsoft 365 Groups | Understand team structure and membership |
offline_access | Refresh tokens without sign-in | Ensures the integration continues working long-term |
openid | Basic identity information | Required for Microsoft SSO |
Organization.Read.All | Read organization metadata | Validate your Microsoft tenant configuration |
profile | Access user profile info | Improve SSO accuracy and user mapping |
Sites.Read.All | Read SharePoint sites | Access files or data stored behind Teams channels |
Team.ReadBasic.All | View basic Teams info | Identify Teams your users belong to |
TeamsAppInstallation.ReadWriteAndConsentForChat | Install/update apps within chats | Ensures the Thread app is installed everywhere it needs to be |
User.Read | Read the signed-in user’s details | Basic SSO functionality |
User.Read.All | Read all users’ profiles | Map Teams users to Thread users |
User.ReadWrite.All | Update user properties | Required for a few Teams workflows that modify user metadata |
