Many of the features in Tikit are enhanced by integrating with your M365 data. As a result, multiple features need additional consent in order to be enabled. Please enable the features you would like to use following the guide below.
Note that a M365 administrator account is required for consent. Once consent has been granted, you will need to go into the Azure Portal under Enterprise Applications to remove it. For more information, please check out this “How to” with the steps for removing permissions.
To access Consent Management settings:
- Open the Tikit web app at https://web.tikit.ai.
- Once in the Tikit web app, select the settings gear in the header, then select Consent Management.
Please enable the features you would like to and then consent for your organization.
Looking for more details on setting up and configuring Tikit? Check out the Complete Setup Guide.
To enable or disable features in Tikit:
- Enable each feature by selecting the slider next to My Work, Email Connector, Intune Connector, and Teams App Management features, then select Update Consent.
For more details on the permissions required for each feature, check out the table below.
- Sign as a M365 Administrator, then in the Permissions Request prompt check the Consent on behalf of your organization and then select Accept.
Congrats! Each enabled feature will now be available to your users. Note that once consent has been granted, you will need to go into the Azure Portal under Enterprise Applications to remove it. For more information, please check out this “How to” with the steps for removing permissions.
| Feature | Permission | Description |
|---|---|---|
| Teams Meetings | Have full access to users calendars | Allows the app to read, update, create and delete events in calendars. |
| My Work | Have full access to user calendars | Allows the app to read, update, create and delete events in your calendars. |
| Read and write all groups | Allows the app to create groups and read all group properties and memberships on your behalf. Additionally allows the app to manage your groups and to update group content for groups you are a member of. | |
| Read user mail | Allows the app to read email in your mailbox. | |
| Email Connector | Read user mail | Allows the app to read email in your mailbox. |
| Send mail as a user | Allows the app to send mail as you. | |
| Intune Connector | Perform user-impacting remote actions on Microsoft Intune devices | Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. |
| Read devices Microsoft Intune devices | Allows the app to read the properties of devices managed by Microsoft Intune. | |
| Read all devices | Allows the app to read devices' configuration information on your behalf. | |
| Read Microsoft Intune RBAC settings | Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. | |
| Teams App Management | Submit application packages to the catalog and cancel pending submissions | Allows the app to submit application packages to the catalog and cancel submissions that are pending review on your behalf. |
| Manage user's installed Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps installed for you. Does not give the ability to read application-specific settings. | |
| Allow the Teams app to manage itself for a user | Allows a Teams app to read, install, upgrade, and uninstall itself for you. |
The consent permissions you grant to Tikit are directly set on two Tikit registered Azure Enterprise Applications within a customer’s environment: Tikit and Tikit Email Connector (if Email Connector – Consent has been enabled). You can review these two Tikit Enterprise Apps within Azure by following these steps:
- With an Azure Administrators account, navigate to https://portal.azure.com
- Click “More Services”
- Find “Enterprise Applications”
- Search for “Tikit” or “Tikit Email Connector”, and select the application
- On the left hand menu, select “Permissions”
- Select the “Grant admin consent for Cireson” button
- You will get prompted to sign in, after signing in select “Accept” consent
The following is a detailed summary of all consent permissions required by the Tikit and Tikit Email Connector Enterprise applications for each of the consent areas of Tikit. Tikit only uses these permissions in the context of the application and the functions it’s doing for the ticketing system.
| Permission | Type | Summary | Reason | Consent Area |
|---|---|---|---|---|
| AppCatalog.Submit | Delegated | Submit application packages to the catalog and cancel pending submissions | Used for Tikit Virtual Agent to read the App Catalog | Required, Teams App Management |
| Channel.ReadBasic.All | Delegated | Read the names and descriptions of channels | Used during setup, to read team names for installing Tikit to an existing team and used in the portal for the Teams Channel Picker | Required |
| Contacts.Read | Delegated | Read user contacts | Used for the people pickers in the portal, for ease of setting requester | Required |
| Directory.AccessAsUser.All | Delegated | Access directory as the signed in user | Used for RBAC to determine roles for users | Required |
| Directory.Read.All | Delegated | Read directory data | Used for RBAC to determine roles for users | Required |
| Delegated | View users' email address | Used for signin, to determine user data and roles | Required | |
| Files.ReadWrite.All | Delegated | Have full access to all files user can access | This is used for attachments, to read teams channel file data | Required |
| Files.ReadWrite.All | Application | Read and write files in all site collections | This is used for attachments, to read teams channel file data | Required |
| Group.Read.All | Delegated | Read all groups | Used for RBAC to determine roles for users | Required |
| Group.Read.All | Application | Read all groups | Used for RBAC to determine roles for users | Required |
| Group.ReadWrite.All | Delegated | Read and write all groups | Used for RBAC to determine roles for users, also used in setup to add team members to teams, Tasks by Planner integration | Required, My Work |
| GroupMember.Read.All | Delegated | Read group memberships | Used for RBAC to determine roles for users from groups | Required |
| offline_access | Delegated | Maintain access to data you have given it access to | Allows users to sign into Tikit/interact with the Bot | Required |
| OnlineMeetings.ReadWrite | Delegated | Read and create user's online meetings | Used for an upcoming feature to create a meeting from a ticket, and add Tikit to the meeting itself | Required |
| openid | Delegated | Sign users in | Allows users to sign into Tikit/interact with the Bot | Required |
| People.Read | Delegated | Read users' relevant people lists | Used for the people pickers in the portal, for ease of setting requester | Required |
| People.Read.All | Delegated | Read all users' relevant people lists | Used for the people pickers in the portal, for ease of setting requester | Required |
| Presence.Read.All | Delegated | Read presence information of all users in your organization | Used in the portal to show presence of users | Required |
| profile | Delegated | View users' basic profile | Allows users to sign into Tikit/interact with the Bot | Required |
| Sites.Read.All | Delegated | Read items in all site collections | This is used for attachments, to read teams channel file data | Required |
| Sites.ReadWrite.All | Application | Read and write items in all site collections | This is used for attachments, to read teams channel file data | Required |
| Team.Create | Delegated | Create teams | Used during setup, to create your new Team to collaborate on tickets | Required |
| Team.ReadBasic.All | Delegated | Read the names and descriptions of teams | Used for RBAC and setting analyst roles | Required |
| TeamMember.ReadWrite.All | Delegated | Add and remove members from teams | Used for RBAC and setup to add members to team, determine which members of the team are analysts | Required |
| TeamsActivity.Send | Application | Send a teamwork activity to any user | Used for an upcoming feature to add items into the 'Activity' section of teams | Required |
| TeamsAppInstallation. ReadWriteForTeam | Delegated | Manage installed Teams apps in teams | Used during setup, to install Tikit to the team you would like | Required |
| User.Read | Delegated | Sign in and read user profile | Used for signin, to determine user data and roles | Required |
| User.Read.All | Delegated | Read all users' full profiles | Used for signin, to determine user data and roles | Required |
| User.Read.All | Application | Read all users' full profiles | Used for signin, to determine user data and roles | Required |
| User.ReadBasic.All | Delegated | Read all users' basic profiles | Used for signin, to determine user data and roles | Required |
| Calendars.ReadWrite | Delegated | Have full access to user calendars | Used for an upcoming feature to create a meeting from a ticket, and add Tikit to the meeting itself, and displaying agenda on the My Work page | Teams Meeting, My Work |
| Mail.Read | Delegated | Read user mail | Used in the my work page, to show unread emails | My Work |
| Mail.Read | Application | Read mail in all mailboxes | Used for the Email Connector (Separate app registration) to read mail sent to the specified email addresss | Email Connector |
| Mail.Send | Application | Send mail as any user | Used for the Email Connector (Separate app registration) to send mail via the specified email addresss | Email Connector |
| DeviceManagement ManagedDevices. PrivilegedOperations.All | Delegated | Perform user-impacting remote actions on Microsoft Intune devices | Used for performing remote actions via inTune | InTune Connector |
| DeviceManagement ManagedDevices. Read.All | Delegated | Read devices Microsoft Intune devices | Used for reading InTune devices registered for a user | InTune Connector |
| Device.Read.All | Delegated | Read all devices | Used for reading InTune devices registered for a user | InTune Connector |
| DeviceManagementRBAC. Read.All | Delegated | Read Microsoft Intune RBAC settings | Used for enabling/disabling actions on the InTune pane on the Users page | InTune Connector |
| TeamsAppInstallation. ReadWriteForUser | Delegated | Manage user's installed Teams apps | Used for pushing Tikit/TVA to the end user on the Users page | Teams App Management |
| TeamsAppInstallation. ReadWriteSelfForUser | Delegated | Allow the Teams app to manage itself for a user | Used for pushing Tikit/TVA to the end user on the Users page | Teams App Management |
