Skip to content
English - United Kingdom
Contact Us
  • There are no suggestions because the search field is empty.

What permissions does the ChangePilot Pro Bot require from our tenant?

The ChangePilot Bot is a Microsoft Teams Bot that gathers information from your tenant and posts ChangePilot updates to Microsoft Teams channels. To enable this, certain read-only permissions are required.

How ChangePilot Works

ChangePilot reads (read only) Message Center messages and Service Health messages from your tenant, as well as from the Public Roadmap. Items are written to Azure SQL for the Empowering.Cloud team to review, summarise, tag and categorise before being published to a Teams channel and SharePoint List on your tenant.

The ChangePilot bot requires resource-specific consent (RSC) to a single, specific Microsoft Teams team in your tenant to post summaries of the changes to the relevant channel(s), as well as write access to a single specific Microsoft SharePoint List within the team to write the items to the List for the change management process.

ChangePilot Bot Permissions

The individual conducting the deployment on the customer side must be a Tenant Global Administrator. This is required to give the application read access to the tenant Message Center and Service Health.

The following permissions are required for the ChangePilot Bot:

  • Read service health: read-only access to Microsoft 365 Service Health messages for your tenant
  • Read service messages: Read-only access to Microsoft 365 Message Center messages for your tenant
  • Access selected site collections – to access the ChangePilot Microsoft Teams team only
  • Read tags in Teams – to read group tags in Microsoft Teams, optionally used for alerting specific groups of people to specific changes
  • Sign in and read user profile - Allows users to sign-in to ChangePilot

To review and/or accept the ChangePilot permissions, click here.

Specific Microsoft SharePoint list read/write permission – set via Graph Explorer

With ChangePilot we want minimal access. Microsoft does not have a UI to give write access to just a single Microsoft SharePoint List. To do this we use Graph Explorer to set the permission with Microsoft Graph.

Graph Explorer is a visual way to run Graph commands. A tenant admin (who already has these permissions) must give the Graph Explorer application the following permissions to grant the relevant permission to the ChangePilot Bot.

Permissions given to Microsoft Graph Explorer to make the permission change in Graph (note, these permissions are not being given to ChangePilot):

  • Sign you in and read your profile
  • Maintain access to data you have given it access to
  • Read items in all site collections
  • Have full control of all your site collections
  • View your basic profile

From there, we use Graph Explorer to give ChangePilot the permissions to read/write to only a single SharePoint list in the team by getting the Site ID and granting full control to that single SharePoint site/list. 

From there we use Graph Explorer to give ChangePilot the permissions to read/write to only a single SharePoint list in the team.