Data Access

The Template Chooser can access data in the name of the User. For that we are using access scopes provided by the data providers. See below a list of all scopes the Template chooser may use.

This data access is always scoped to the signed in user. It by any means does not enable an officeatwork employee to get access to your data. On the contrary, as we are using the same authentication infrastructure used by Office 365, your data is protected by the Office 365 security framework including multi-factor authentication. The actual Add-In sign in screens are provided and hosted by Microsoft. You can see that as the officeatwork sign in process displays the identical sign in screens and flow as if you were to sign in to Office 365.

In other words users can only access data within the Add-ins that they can access based on their existing access rights in Office 365. This also means that a user can not access data of an other user via the Add-In. It also means that the scopes below will not allow users to see more data than what they are allowed to see in Office 365. So for instance the SharePoint 'Sites.Read.All' scope will only allow the user to see the SharePoint data that he or she has access too in SharePoint. It will NOT allow the user to see all data in all Sites in SharePoint as the data remains governed by SharePoint. So regardless what user interface the user is using, the screens provided by SharePoint or the screens provided by the officeatwork Add-Ins, the user will only get access to the data they have access to within SharePoint and as that access is governed by the Office 365 sign-in infrastructure, that data can not be access by other users then the ones that have access to your Office 365 tenant.

Sign-In

'Sign users in'

To be able to sign in the user the Template Chooser needs some permissions. This openid permission can be consented by the individual User.

The Template Chooser needs this permission to allow users to sign in to their organizational and/or Microsoft Account within the Template Chooser Add-In.

You can use the button to the right to trigger the consent flow for this particular scope.

Grant openid

Check out the official documentation about his permission set here.

'Access your data anytime' respectively 'Access user's data anytime'

To be able to automatically sign in the user the Template Chooser needs some permissions. This offline_access permission can be consented by the individual User.

The Template Chooser needs this permission only to automatically re-sign-in the user when re-launching the Template Chooser. This saves the user from having to manually sign in to the Template Chooser on every launch of the Template Chooser. We do not use this permission other than to the user's convenience of automatically signing in the user.

You can use the button to the right to trigger the consent flow for this particular scope.

Grant offline_access

Check out the official documentation about his permission set here.

Display Signed In User within the Add-In

'View users' basic profile'

To be able to show the users what account was used to sign in, the Template Chooser needs this permission to show basic profile information. This profile permission can be consented by the individual User.

The Template Chooser uses this permission to show the User data about the signed in users. That will help the user understand which account was used to sign in to the Template Chooser.

You can use the button to the right to trigger the consent flow for this particular scope.

Grant profile

Check out the official documentation about this permission set here.

Evaluation support

'View users' email address'

To be able to access the users email address the Template Chooser need this permission. This email permission can be consented by the individual User.

officeatwork is using this e-mail address during the evaluation phase of the Template Chooser so that we can connect, communicate and support the users evaluating the Template Chooser Add-In. We store the e-mail address in our marketing automation tool to be able to offer best possible evaluation support to the users.

You can use the button to the right to trigger the consent flow for this particular scope.

Grant email

Please note: User data of users using a payed officeatwork Add-In subscription will not be stored in our marketing automation tool. In this subscription case absolutely no personal data of any user is recorded/stored on any officeatwork server or service.

Check out the official documentation about his permission set here.

Remember user settings

'Read and update your profile' respectively 'Read and write access to user profile'

To be able to store some user specific Add-In settings like the language the Template Chooser should present itself in, the Template Chooser needs the permission to store user settings information in the user's profile. This User.ReadWrite permission can be consented by the individual User.

The Template Chooser uses this permission solely to read and write Template Chooser specific user settings for the convenience of the user. This will for instance allow the Add-In to 'remember' the language setting the user has selected. So next time the user signs into the Add-In the language will be set correctly. All settings are stored in storage locations governed by the connected service like Office 365 or OneDrive etc.. officeatwork does not store user settings on any of their own servers or services.

You can use the button to the right to trigger the consent flow for this particular scope.

Grant User.ReadWrite

Check out the official documentation about his permission set here.

OneDrive integration

'Have full access to all files you have access to' respectively 'Have full access to all files user can access'

To be able to find template files in the users OneDrive the Template Chooser needs this permission. This Files.ReadWrite.All permission can be consented by the individual User.

The Template Chooser uses this permission to load templates from OneDrive the user has access to.

You can use the button to the right to trigger the consent flow for this particular scope.

Grant Files.ReadWrite.All

Check out the official documentation about his permission set here.

Teams integration

'Read and write all groups'*

To be able to tag a channel or a folder within a channel of a Team (Group) as a library the Template Chooser need some permissions. This Group.ReadWrite.All permission can only be consented by the Office 365 Admin.

The Template Chooser uses this permission to be able to tag a channel or folder of a team files list as a library among the teams the user has access to.

You can use the button to the right to trigger the consent flow for this particular scope.

Grant Group.ReadWrite.All

Check out the official documentation about his permission set here.

'Read all users' full profiles'*

To be able to evaluate what Teams the user is member of the Template Chooser need some permissions. This User.Read.All permission can only be consented by the Office 365 Admin.

The Template Chooser uses this permission to be able to determine in what Teams the user is member of.

You can use the button to the right to trigger the consent flow for this particular scope.

Grant User.Read.All

Check out the official documentation about his permission set here.

SharePoint Online integration

Read items in all site collections*

To be able to find the template libraries and template files in SharePoint the user has access to the Template Chooser need some permissions. This Sites.Read.All* permission can only be consented by the Office 365 Admin.

The Template Chooser is using this permission to find and load templates from SharePoint Online the user has access to.

You can use the button to the right to trigger the consent flow for this particular scope.

Grant Sites.Read.All

Check out the official documentation about his permission set here.

Please note: We have been asked by many prospects and customers if we could not limit the data the Add-In can access within SharePoint Online. Unfortunately this is currently the only scope available that will allow the Add-In to read the user's data in all the SharePoint Online sites, lists and libraries the user has access to. There is no scope available that would allow us to just ask for permission to specific sites, lists or libraries. This means that using the SharePoint feature will always request this scope allowing users to read and write to all sites they have already access to. We are actively looking into this with Microsoft in the hope to be able to better restrict the data the Add-In can access within the data already accessible to each specific user.

* requires admin consent

Visit https://portal.azure.com > 'Enterprise Application' to verify what permissions have already been granted for the Template Chooser App. This is also where you can revoke the permissions for the Template Chooser App.