Presentation
The Calliente application integrates with Microsoft Entra ID (formerly Azure Active Directory) to provide a secure and consistent experience within Microsoft 365 environments.
This document details the API permissions requested by the application, their specific purpose, and the principles applied to ensure the security and privacy of data.
At Calliente, transparency and data protection are integrated from the design stage.
Only the permissions strictly necessary for the application's operation are requested, and no data is used outside of its functional scope.
Permissions Requested by Calliente
The permissions below are delegated and granted via the Microsoft Graph API.
They appear in your Microsoft Entra ID tenant as Granted to Calliente.
| Permission | Type | Admin Consent Required | Usage |
|---|---|---|---|
| GroupMember.Read.All | Delegated | Yes | Read the groups the user belongs to in order to filter synchronized contacts |
| offline_access | Delegated | No | Allows obtaining a new access token when the active token expires |
| openid | Delegated | No | Necessary for authentication via OpenID Connect |
| profile | Delegated | No | Access to the user's basic profile information |
| User.Read | Delegated | No | Allows the user to sign in and access their own profile |
| User.Read.All | Delegated | Yes | Read user profiles to synchronize phone numbers and contact information |
Justification of Permissions
Each permission has a clearly defined purpose.
Authentication and Identification
The openid, profile, and User.Read permissions are standard OpenID Connect scopes.
They allow the user to authenticate securely via Microsoft Entra ID.
Filtering Contacts by Groups
GroupMember.Read.All is used to identify the groups to which the user belongs.
This allows limiting the synchronization of contacts only to groups defined by the administrator.
Access to User Directory
User.Read.All allows reading user profiles necessary for synchronizing contact information (name, phone number, associated information).
No modifications, writes, or deletions of profiles are performed by Calliente.
Session Management
offline_access allows the application to maintain an active session without requiring the user to frequently re-authenticate, while adhering to Microsoft’s security rules.
Security Commitments
Principle of Least Privilege
Calliente strictly applies the principle of least privilege.
No administrative permissions are requested, and no management actions are performed on the Microsoft 365 tenant.
Data and Storage
Data accessible via Microsoft Graph is not permanently stored on Calliente systems, except for explicit configuration with clear consent from the organization.
Compliance and Best Practices
Calliente adheres to the recommendations of the Microsoft Identity Platform regarding:
- application consent
- OAuth 2.0 access security
- integration of enterprise applications
Check or Revoke Permissions
Microsoft Entra ID administrators can review or revoke the permissions granted to Calliente at any time:
- Access the Azure Portal
- Go to Enterprise Applications
- Select Calliente
- Open Permissions
- Review or remove existing consents
For more information, refer to Microsoft’s documentation on managing application permissions.
Questions or Specific Requests
For a security audit, a request for compliance documentation, or technical assistance:
https://calliente.app/contact/
For any identity-related questions or inquiries regarding Microsoft Entra ID, please contact Microsoft support.