App Permissions
This page describes the various Microsoft Graph and SharePoint API permissions that are used by Mercury components.
Mercury Intranet Deployment Service Principal
In order for Mercury to be kept up to date on your tenant, a background service is used to update the App Catalog in your SharePoint Online service.
This background service uses an Entra ID Service Principal with permission to write to your SharePoint Online service. This app requests the following permissions:
Admin Consent
| Service |
Permission Name |
Description |
Purpose |
| Microsoft Graph |
Sites.FullControl.All |
Have full control of all site collections |
Used to retrieve the status of your installation from our central repostiroy |
| Microsoft Graph |
User.Read |
Sign in and read user profile |
Used by MyMercury to let you log in |
| Microsoft Graph |
Applications.Read.All |
Read all applications |
Used by MyMercury to check if Admin Consent has been granted to licenced products |
| SharePoint |
Sites.FullControl.All |
Have full control of all site collections |
Used to update your App Catalog, and to deploy Mercury to your Hub Sites as registered in our central repository |
| SharePoint |
Read and write managed metadata |
Read and write managed metadata |
Used during deployment to initialize Term Sets used by the Mercury Pages Metadata (Fields) |
Mercury Component Permissions
This table describes the permissions each component requires and why.
Note
All components use the User.Read permission to allow sign in to the required APIs.
Note
All of the below permissions will use Delegate Permissions, interacting with APIs as the logged in user. Therefore, a permission may say Files.ReadWrite.All,
but the app will only be able to interact with files that the user has access to.
Why Permissions for each app?
In the traditional SharePoint Online model, apps requesting permission to Microsoft Graph end up being granted to a single built-in App Registration in Entra ID. This means that once an app has a permission requested granted for one scope, then any code running on the page is able to use that permission scope, even if it wasn't the original app that requested it.
With the Mercury model, each app has its own set of Permission Requests, granted directly into Entra ID. This means IT admins can have fine-grained control of which apps are allowed to be used, and can monitor which apps are making requests to Microsoft Graph.
Mercury Accordion
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| GroupMember.Read.All |
To enable Audience Targeting |
Mercury Anniversaries
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| Directory.Read.All |
Read directory information for hire dates (as a work anniversary) |
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| Group.Read.All |
To support Audience Targeting |
| Directory.Read.All |
To support Audience Targeting |
Mercury Calendar
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
Mercury Carousel
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
Mercury Command Bar
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Command Bar Configuration to JSON files in sites |
| Calendars.ReadBasic |
To show upcoming events |
| Mail.ReadWrite |
To allow users to view inbox & mark items as read |
| MailboxSettings.Read |
To get user's date/time preferences to display mail & event items in correct timezones and format |
| Tasks.ReadWrite |
To allow task management from the Command Bar |
| Sites.ReadWrite.All |
To allow unfollowing Favourite Sites from the Command Bar |
Mercury Flexi Tiles
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| GroupMember.Read.All |
To enable Audience Targeting |
Mercury Hero Tiles
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| Sites.Read.All |
To get information about the site containing the items in tiles (Title, theme, URL, etc) |
| Group.Read.All |
Allows selection of a Group to enable group-level caching |
Mercury Info Tiles
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| GroupMember.Read.All |
To enable Audience Targeting |
Mercury Meet the Team
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| GroupMember.Read.All |
To allow showing the members of a specified group |
| People.Read.All |
To allow searching for all users |
| Presence.Read.All |
To display the current presence status of all selected users in the web part |
| User.ReadBasic.All |
To fetch basic profile information on all selected users in the web part |
Mercury My Teams
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| Channel.ReadBasic.All |
To get basic information about Team channels a user is a member of |
| ChannelMessage.Read.All |
To be able to retrieve messages in a selected channel that a user is a member of |
| Directory.Read.All |
To fetch all channels the user is a member of |
| Group.Read.All |
To allow searching channels created as Microsoft 365 Groups |
| GroupMember.Read.All |
To allow listing who is the member of a Team Channel |
| Team.ReadBasic.All |
To fetch & display the basic information of a Team that the user is a member of |
| TeamsTab.Read.All |
To fetch the tabs of a Team that the user is a member of |
| User.Read.All |
To view profile information on members of a Team |
Mercury People Finder
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| Directory.Read.All |
To assist in searching for users |
| GroupMember.Read.All |
|
| Presence.Read.All |
To display the presence information on returned users |
| Schedule.Read.All |
To display the availability of returned users |
| User.Read.All |
To display profile information on returned users |
Mercury Quick Search
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
Mercury Service Updates
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
Mercury Teams Channel Feed
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| Channel.ReadBasic.All |
To get basic information about Team channels a user is a member of |
| ChannelMessage.Read.All |
To be able to retrieve messages in a selected channel that a user is a member of |
| Directory.Read.All |
To fetch all channels the user is a member of |
| Group.Read.All |
To allow searching channels created as Microsoft 365 Groups |
| GroupMember.Read.All |
To allow listing who is the member of a Team Channel |
| Presence.Read.All |
To display the presence information on returned users |
| Team.ReadBasic.All |
To fetch & display the basic information of a Team that the user is a member of |
| TeamsTab.Read.All |
To fetch the tabs of a Team that the user is a member of |
| User.ReadBasic.All |
To view profile information on members of a Team |
Mercury Timeline
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
| User.ReadBasic.All |
To view profile information on the author of an item in the Timeline |
Mercury Tips
Admin Consent
| Permission |
Purpose |
| Files.ReadWrite.All |
Import and Export of Web Part settings to JSON files in sites & user's OneDrive |
Other Component Permisisons
docBot
An app registration is required to be created in Azure for users to authenticate to docBot using Microsoft Entra ID V2 authentication.
| Permission |
Purpose |
| Files.Read.All |
Allows the bot to read all files the signed-in user can access from the sources listed in Copilot Studio. |
| Sites.Read.All |
Allows the bot to read documents and list items in all site collections from the sources listed in Copilot Studio on behalf of the signed-in user. |
| openid |
Allows users to sign in to the bot with their work or school accounts and allows the app to see basic user profile information. |
| profile |
Allows the bot to see your users' basic profile (e.g., name, picture, user name, email address). |