Connection account requirements for Microsoft Planner
In order to create synchronization between Integration Hub and your Microsoft Office 365 Planner environment you need the following:
- Grant Integration Hub application Global Admin consent that is provided by your Tenant Global Administrator during the first connection configuration.
- Have Office 365 Planner Account that will be used for connection. To connect Integration Hub with Microsoft Office 365 Planner, Office 365 account used as a connection should meet the following requirements:
The account should have access to the required Planner Groups and be a member of the Plans needed to be synchronized.
Please note: Global Administrator permissions are required for installing and approving the Integration Hub application in your Office 365 tenant.
Please note: Integration Hub does not request, process, or store the account credentials. The 'OAuth' authentication type is used, and in this case Integration Hub is authorized to access your resources without sharing credentials. The access token is issued to our app by the authorization server, with approval from your side. Integration Hub then uses the access token to access and process your Planner or Project Online data.
In Office 365, Global Administrators are the only role with access to all administrative features in Office 365 suite of services in your plan. Global Admin will typically be the person who signs up to purchase Office 365. Your company can also have more than one Global Admin.
When the connection is established between Integration Hub and Office 365 Planner, Integration Hub will get the following connection options:
- Read data from existing Plans in Microsoft Office 365 Planner (read permissions)
- Create new Plans and tasks in Microsoft Office 365 Planner (write permissions)
- Read data from existing Office 365 groups
- Create new Office 365 groups
In Office 365 Planner, when you create a plan, Office 365 group is created to support your plan. In the same way Integration Hub gets “read” or “write” permissions to your Office 365 groups depending on whether you connect already existing plans or create new plans using Integration Hub app.
For Integration Hub to access data in Microsoft Graph, the administrator must grant the app the correct permissions.
Integration Hub requires AccessReview.Read.All and AccessReview.ReadWrite.All permissions to create new plans, Office 365 groups and synchronize users for task assignments in Office 365 Planner. The following access rights require Admin Consent, which is provided by the administrator role Tenant Global Administrator. Therefore, the account used as a connection should be a tenant Global Administrator.
Please find more details on access review permissions in the Microsoft Graph permissions reference article.
Please note: Global Admin account needs to be used to grant admin consent only once. The consent is required because integration accounts should be able to create and update Planner groups and Plans and use tenant user pool for creating/updating task assignments. When admin consent is granted, other accounts from the same tenant can be used (they do not require to have Global Admin rights). However, the account used for synchronization should be added as a member to all Plans being integrated in order to have access to their data.
Additionally, Global Administrator permissions are still required for installing and approving Integration Hub application in your O365 tenant.