Setting Up OneDrive, SharePoint and Teams
Each user must log in and consent to the permissions listed below. The consent dialog clearly describes each scope. Admin consent (Step 2) pre-approves all scopes so individual users cannot modify them.
1. Add Delegated Permissions
The table below lists every required scope, which service it applies to, and what access it grants.
| Permission | SharePoint / OneDrive | Teams | What it grants |
|---|---|---|---|
offline_access | ✅ | — | Keeps tokens refreshed without re-authentication |
User.Read | ✅ | ✅ | Read the signed-in user's profile |
User.Read.All | ✅ | ✅ | Read all users' profiles in the directory |
Files.Read.All | ✅ | — | Read all files accessible to the user across drives |
Sites.Read.All | ✅ | — | Read items in all SharePoint site collections |
Group.Read.All | ✅ | ✅ | Read all groups and their properties |
ChannelMessage.Read.All | — | ✅ | Read messages across all Teams channels |
GroupMember.Read.All | — | ✅ | Read group membership lists |
TeamMember.Read.All | — | ✅ | Read team members and their roles |
Chat.Read | — | ✅ | Read user and group chat messages |
ChannelMember.Read.All | — | ✅ | Read the members of all channels |
OnlineMeetings.Read | — | ✅ | Read online meeting details |
OnlineMeetingTranscript.Read.All | — | ✅ | Read transcripts of online meetings |
Use the tabs below to copy the exact scope list for each service into Azure.
- SharePoint & OneDrive
- Teams (optional)
offline_access
User.Read
User.Read.All
Files.Read.All
Sites.Read.All
Group.Read.All
Only required if Teams messages and meeting recordings are in scope. Scopes shared with SharePoint / OneDrive (User.Read, User.Read.All, Group.Read.All) can be skipped if already added.
ChannelMessage.Read.All
GroupMember.Read.All
TeamMember.Read.All
Chat.Read
ChannelMember.Read.All
OnlineMeetings.Read
OnlineMeetingTranscript.Read.All
2. Grant Admin Consent
Once all scopes are added, click Grant admin consent for [your tenant] in the Azure Portal.
Pre-approving scopes means users only need to sign in — they cannot modify or decline individual permissions. This resolves the common issue of tenants that have disabled user-level consent.
3. Set Up Redirect URIs
a. On your app registration page, open the Authentication tab and click Add a platform → Web.
b. Add the following redirect URIs:
Replace <instanceID> with your customer domain for BYOC deployments, or viven.ai for Viven-hosted.
https://stage-digitaltwin.<instanceID>/oauth/microsoft/callback
https://digitaltwin.<instanceID>/oauth/microsoft/callback
https://stage-digitaltwin.<instanceID>/oauth/microsoft/data_source/callback
https://digitaltwin.<instanceID>/oauth/microsoft/data_source/callback
c. In the Advanced settings section of the same tab, enable Access tokens (used for implicit flows).
d. Click Save. SharePoint, OneDrive, and Teams are now ready for integration.