Graph API permission needed to enable Azure AD/Entra login for the Chime V5 web application

When initially onboarding Chime V5 you will need an Azure AD/Entra Admin to approve the use of some Graph API permissions for Chime V5 web application to enable Azure AD/Entra login. In this article we will cover the list of API permissions you will need and details of what each of them do and are used for. Below are the specific Graph API permissions Chime V5 will request when you are prompted to approve Azure AD/Entra login:

email - Delegated

Allows the app to read your users' primary email address. Microsoft Documentation >>

openid - Delegated

Allows users to sign in to the app with their work accounts and allows the app to see basic user profile information. Microsoft Documentation >>

profile - Delegated

Allows the app to see your users' basic profile (e.g., name, picture, user name, email address). Microsoft Documentation >>

User.Read - Delegated

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. Microsoft Documentation >>

As the Azure administrator, we may request the Tenant Id of your org before this next step so that we are able to associate the Chime V5 instance stood up by Instant Tech team. Once the instance is ready to be linked to your AD/Entra login, the Instant Tech team will send across a link for you to approve the requested permissions. In this permissions request it will detail the permissions we are using and allow you to consent on behalf or your organization.

Once you have accepted the permissions, the log in option for Chime V5 will associate users logging in with their Office 365 accounts and will require users to login with their org accounts.