Ultimate Forms for Microsoft 365 requires various permissions to enable it to automate your business processes and access your business data.
When installed using our Wizard, a Global Adminstrator will be request and must grant application-level Manage permission for the site collection. Therefore only Global Administrators are able to install the app.
Manage permission is sufficient for the majority of Ultimate Forms functionality, except for the following Action types or in Alerts when Check permissions of recipients option is activated in Administration:
- Manage Permissions
- Create Site
- Copy list items - only when Copy permissions option is activated
Full Control permission will be requested and must be granted when any of these action types are created in the site collection The grant is given just once per site collection.
Once the installation is complete, two additional steps must be performed. You will be provided with direct link both to perform the actions and to read the specific documentation articles:
- API Access permissions - provides access to various enterprise APIs, such as Microsoft Graph.
- Create an app principal - create a user for the data access enterprise app (required to respond to changes in SharePoint lists).
Specific components of Ultimate Forms might require additional permissions to accomplish specific tasks.
Forms
Starting with version 1.4.0.0, no special configuration is any longer required if only Modern forms are used.
For previous versions or when working with Classic forms:
- Custom scripting must be allowed in SharePoint Administration. We require this to be able to add management scripts to your forms and views.
- Some modern site add Deny permission for adding and modifying pages. This permission must be removed to enable form customization.
Actions
Print list items action requires Send access to all mailboxes on Exchange Online when set to deliver via email. A Global Administrator must grant this permission when saving your first such action or via Global settings.
Manage Exchange action requires Write access to all event calendars on Exchange Online. A Global Administrator must grant this permission when saving your first such action or via Global settings.
Manage Active Directory action requires Read/Write access to your Azure Active Directory. A Global Administrator must grant this permission when saving your first such action or via Global settings.
Manage Teams action requires Read/Write access to your Microsoft Teams. A Global Administrator must grant this permission when saving your first such action or via Global settings.
Alerts
Alerts require Send and Write access to all mailboxes on Exchange Online. A Global Administrator needs to grant this permission through Alert Administration or Global settings. If the permission is not granted, alerts will still work in a reduced capacity.
End users are only allowed to select a pre-authorized mailbox as the sender account for an alert they are creating (they can also select their own mailbox). Site collection administrators manage the list of Authorized Senders, scoped to a site collection, under Alerts -> Administration, or globally.
Read access to Azure Active Directory is required to perform security trimming based on Azure AD groups. A Global Administrator needs to grant this permission through Alert Administration or via Global settings. If the permission is not granted, some recipients might not receive alerts if their permissions are granted through AD groups.
Import
Read and Write access to all mailboxes on Exchange Online is required if you configure import from O365 mailboxes. A Global Administrator needs to grant this permission when first such profile is configured or via Global settings.
Event Calendar
Read and Write access to all event calendars on Exchange Online is required if you configure Exchange as your calendar data source. A Global Administrator needs to grant this permission when first such profile is configured. Additionally, API access must be granted for the app in SharePoint Adminstration.
When sending the print-out in email, Send permissions for the specific user's mailbox are required. The permissions are requested in real time through a pop-up window (make sure your pop-up blocker is disabled). The permission grant is cached for up to 6 months.
Note: For the Print Grant to work for users to perform the grant themselves instead of requesting an admin. The admin should setup Entra settings to permit your users to approve this grant the Grant pop-up.
- Go to https://entra.microsoft.com
- Under Enterprise Applications click on Consent and permissions.
- Here make sure that you selected 2nd or 3rd option. If selecting the second one, make sure the following permissions are added as allowed:
- Microsoft Graph: Mail.ReadWrite
- Microsoft Graph: Mail.Send
- Microsoft Graph: User.Read
The reason why we need Read/Write is because when we send attachments, we start by creating a draft, then attaching files to it, then sending. Creating a draft requires Write. After this, users will be able to grant on their own.
