Overview
The Calliente application integrates with Microsoft Entra ID (formerly Azure AD) to provide a secure and seamless user experience within Microsoft 365 environments.
This document outlines the specific API permissions requested by the application, their purpose, and how data is securely managed.
At Calliente, we apply the principles of transparency and privacy by design.
We only request the strictly necessary permissions and do not access or store data beyond the functional scope of the application.
β Permissions Requested by Calliente
The following permissions are delegated and granted via the Microsoft Graph API.
They appear in your tenant as “Granted to Calliente“.
| Permission | Type | Admin consent required | Primary use |
|---|---|---|---|
| GroupMember.Read.All | Delegated | β Yes | Read the groups a user belongs to, to filter contact synchronization |
| offline_access | Delegated | β No | Obtain a new access token when the current one expires, even if the user is no longer active |
| openid | Delegated | β No | Required for authentication via OpenID Connect |
| profile | Delegated | β No | Access basic user profile information |
| User.Read | Delegated | β No | Allows the user to sign in and read their own profile |
| User.Read.All | Delegated | β Yes | Read all user profiles β used to synchronize phone numbers and contact info |
π why these Permissions?
Each permission has a specific purpose:
π User Identification and Login
- openid, profile, and User.Read are standard OpenID Connect scopes to enable secure authentication via Microsoft Entra ID.
𧩠Contact Filtering by Group
- GroupMember.Read.All allows Calliente to determine which groups the user belongs to, to restrict contact synchronization only to members of admin-defined groups.
π Directory Search and Contextual Information
- User.Read.All is used to list users, for example when assigning roles or searching for colleagues.
No profile modification or writing is possible.
π Session Management
- offline_access allows the application to continue functioning during long sessions without requiring the user to re-authenticate.
π‘οΈ Security Commitment
𧱠Principle of Least Privilege
Calliente only requests the minimal necessary permissions and does not perform any administrative operations on your tenant.
π No Data Stored outside the Tenant
User data accessed via Microsoft Graph is never permanently stored on Calliente servers, unless explicitly configured with consent.
β Built-in Compliance
The Calliente platform adheres to Microsoft’s best practices for application consent, and follows the recommendations of the Microsoft Identity Platform for secure integrations.
π§Ύ how to Check or Revoke Permissions
As a Microsoft Entra ID administrator, you can review and manage granted permissions at any time:
Azure Portal β Enterprise applications β Calliente
Go to Permissions β View or delete individual consents
For more details, consult the official Microsoft documentation on managing application permissions.
π¬ Questions or Concerns?
For an audit, compliance documentation needs, or technical assistance:
π https://calliente.app/contact/
For identity-related issues:
π Contact Microsoft Entra support