Documentation
Permissions in Microsoft 365 app
Ultimate Forms for Microsoft 365 requires various permissions to enable it to automate your business processes and access your business data.
When installed using our Wizard, a Global Adminstrator will be request and must grant Full Control permission for the SharePoint tenant. Therefore only Global Administrators are able to install the app.
Once the installation is complete, two additional steps must be performed. You will be provided with direct link both to perform the actions and to read the specific documentation articles:
- API Access permissions - provides access to various enterprise APIs, such as Microsoft Graph.
- Create an app principal - create a user for the data access enterprise app (required to respond to changes in SharePoint lists).
Specific components of Ultimate Forms might require additional permissions to accomplish specific tasks.
Forms
Starting with version 1.4.0.0, no special configuration is any longer required if only Modern forms are used.
For previous versions or when working with Classic forms:
- Custom scripting must be allowed in SharePoint Administration. We require this to be able to add management scripts to your forms and views.
- Some modern site add Deny permission for adding and modifying pages. This permission must be removed to enable form customization.
Actions
Print list items action requires Send access to all mailboxes on Exchange Online when set to deliver via email. A Global Administrator must grant this permission when saving your first such action or via Global settings.
Manage Exchange action requires Write access to all event calendars on Exchange Online. A Global Administrator must grant this permission when saving your first such action or via Global settings.
Manage Active Directory action requires Read/Write access to your Azure Active Directory. A Global Administrator must grant this permission when saving your first such action or via Global settings.
Manage Teams action requires Read/Write access to your Microsoft Teams. A Global Administrator must grant this permission when saving your first such action or via Global settings.
Alerts
Alerts require Send and Write access to all mailboxes on Exchange Online. A Global Administrator needs to grant this permission through Alert Administration or Global settings. If the permission is not granted, alerts will still work in a reduced capacity.
End users are only allowed to select a pre-authorized mailbox as the sender account for an alert they are creating (they can also select their own mailbox). Site collection administrators manage the list of Authorized Senders, scoped to a site collection, under Alerts -> Administration, or globally.
Read access to Azure Active Directory is required to perform security trimming based on Azure AD groups. A Global Administrator needs to grant this permission through Alert Administration or via Global settings. If the permission is not granted, some recipients might not receive alerts if their permissions are granted through AD groups.
Import
Read and Write access to all mailboxes on Exchange Online is required if you configure import from O365 mailboxes. A Global Administrator needs to grant this permission when first such profile is configured or via Global settings.
Event Calendar
Read and Write access to all event calendars on Exchange Online is required if you configure Exchange as your calendar data source. A Global Administrator needs to grant this permission when first such profile is configured. Additionally, API access must be granted for the app in SharePoint Adminstration.
When sending the print-out in email, Send permissions for the specific user's mailbox are required. The permissions are requested in real time through a pop-up window (make sure your pop-up blocker is disabled). The permission grant is cached for up to 6 months.
