App registrations
Perform & Engage 365 uses multiple Microsoft Entra ID app registrations, each with distinct permissions. In this article, we give information about each registration.
Main SSO + Teams app
The primary app registration used for user sign-in, Teams bot functionality, and Teams admin consent flows.
Consent type
Admin consent (during Teams app installation).
Application permissions (app-only, background)
| Permission | Claim value | What it's used for |
| Read and write all groups | Group.ReadWrite.All | Discovers Teams channels for posting notifications and app installs. Enables the Teams bot to interact with channels where Perform & Engage is installed. |
| Read and write all users | User.ReadWrite.All | Allows the Teams bot to read user profile information and manage Teams app installations. |
| Read calendars | Calendars.Read | Reads calendar free/busy information for availability checking. |
Delegated permissions (signed-in user context)
| Permission | Claim value | What it's used for |
| Sign in and read user profile | User.Read | Allows users to sign in using their Microsoft Entra ID account. Reads the signed-in user's profile and basic company information. |
| Read all users' full profiles | User.Read.All | Enables managers and admins to view team members, manage review cycles, and assign goals. |
| Read and write all groups | Group.ReadWrite.All | Enables the Teams bot to discover and interact with Teams channels on behalf of the signed-in user during consent flows. |
| Read and write all users | User.ReadWrite.All | Enables channel discovery and Teams app installation management. |
| Read calendars | Calendars.Read | Reads calendar availability on behalf of the signed-in user for scheduling 1:1 meetings and reviews. |
OpenID Connect scopes (sign-in only, not Microsoft Graph):
| Claim value | What it's used for |
| openid | OpenID Connect authentication — allows users to sign in with their Microsoft Entra ID account. |
| profile | Reads the signed-in user's profile claims (name, preferred username) from the ID token. |
| Reads the signed-in user's email address from the ID token. | |
| offline_access | Maintains a refresh token for long-lived access during the user's session. |
Directory synchronisation app
Used for synchronising user and directory data from Microsoft Entra ID into Perform & Engage 365.
Consent type
Admin consent
Application permissions (app-only, background)
| Permission | Claim value | What it's used for |
| Read all users' full profiles | User.Read.All | Synchronises user data (name, email, department, job title, office, country, manager ID) into Perform & Engage 365. Enables manager hierarchy resolution for performance reviews, organisational charts, and check-in routing. |
| Read all directory data | Directory.Read.All | Reads directory objects including manager relationships, department structure, and group membership. Builds reporting hierarchies for performance reviews and check-in routing. |
Lightweight directory synchronisation app
A lightweight app registration used when organisations prefer a reduced-scope synchronisation.
Consent type
Admin consent
Application permissions (app-only, background)
| Permission | Claim value | What it's used for |
| Read all users' full profiles | User.Read.All | Synchronises basic user data (name, email, department, job title) into Perform & Engage 365. Does not include directory data reads. |
Meeting scheduling app
Manages calendar availability and meeting booking within Perform & Engage 365.
Consent type
Admin consent
Application permissions (app-only, background)
| Permission | Claim value | What it's used for |
| Read calendars | Calendars.Read | Reads calendar free/busy information to check user availability for 1:1 meetings, performance reviews, and check-in conversations. |
| Read and write calendars | Calendars.ReadWrite | Creates calendar events for scheduled meetings (performance reviews, check-ins, feedback meetings). |
Notification email app
Handles sending notification emails on behalf of a configured user.
Consent type
Dynamic user consent (granted during email notification setup)
Delegated permissions (signed-in user context)
| Permission | Claim value | What it's used for |
| Send mail as a user | Mail.Send | Sends notification emails (check-in reminders, review notifications, feedback requests) on behalf of the configured email account. |
| Maintain offline access | offline_access | Maintains a refresh token so the app can continue sending email notifications on behalf of the configured user without requiring them to stay signed in. |
More information
For more information about personal data and data storage, see this article.