LawToolBox Permissions
All the permissions listed below operate under the user’s scope as delegated permissions by leveraging Microsoft Graph API

All the permissions are documented in the below Microsoft document:

Learn More:


Grant Permissions:


App permissions:Enterprise permissions:


LawToolBox makes a concerted effort to only ask for the permissions necessary to make our solution for M365 work as expected.

_________________________________________________________________


Application Permissions Explained:

These user-based permissions are for the LawToolBox application to work as an extension of what the user already has access to or has permission to do in Microsoft 365 (add calendar appointments, view files and contacts, visit SharePoint sites, Teams, etc.). This does not allow LawToolBox company to see your files, M365 data and the data will remain in your tenant.


1. Have full access to your calendars  
This permission is restricted to accessing the user’s contacts that they already have access to – we use this to allow users to retrieve their own calendar information. 

Allows the app to create, read, update, and delete events in user calendars.

This is a permission requested to access your data in Contoso


2. Read items in all site collections 

Related to files and folders for uploading files to case folders and file sharing in meetings– so files can be uploaded to SharePoint for a specific matter – this facilitates SharePoint search (virtual meeting uses this function)

Allows the app to read, create, update, and delete document libraries and lists in all site collections on behalf of the signed-in user.

 

3. Read and write items and lists in all site collections
Related to reading files and creating case folders and files – files can be uploaded to SharePoint for a specific matter – this facilitates SharePoint search and applies templates from one SharePoint site to another. 

Allows the app to read, create, update, and delete document libraries and lists in all site collections on behalf of the signed-in user. 

This is a permission requested to access your data in Contoso.


4. Read your files 

Read and list the user files the user already has access to


Allows the app to read the current user's files.

This is a permission requested to access your data in Contoso.


5. Read your mail 
We use this permission to read PACER emails in our Outlook add-in to auto open that matter and also to read contacts from your email to add to our contact system (this is a good to have but not necessary function)

Allows the app to read the signed-in user's mailbox.

This is a permission requested to access your data in Contoso.


6. Read and write user mailbox settings  

Allows the app to create, read, update, and delete user's mailbox settings. Does not include permission to send mail.

This is a permission requested to access your data in Contoso.


7. Read and write all OneNote notebooks that you can access 
Users can write any notes to OneNote from LawToolBox interface.

Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization.

This is a permission requested to access your data in Contoso.


8. Read and write to your and shared contacts 
This permission is to allow users to search shared O365 contacts and add to LawToolBox – we do not add any contacts automatically.  

Allows the app to create, read, update, and delete contacts a user has permissions to, including their own and shared contacts.

This is a permission requested to access your data in Contoso.


9. Sign you in and read your profile 
Necessary for Single Sign On (SSO) authentication to sign in as the identified user.

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

This is a permission requested to access your data in Contoso.


10. Have full access of your contacts  
This permission is restricted to accessing the user’s contacts that they already have access to.  We use this permission to allow user to search their O365 contacts and add to LawToolBox – we do not automatically add any contact (this can be revoked if you do not want this feature and contacts can be manually added.

Allows the app to create, read, update, and delete user contacts.

This is a permission requested to access your data in Contoso.


11. Read and write all groups 
This is necessary to create Calendar events, read the Teams API, create a Microsoft Teams, add Teams channels, and Teams file sharing feature

Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.

This is a permission requested to access your data in Contoso.


12. Read and write directory data 
Admin portal users can to retrieve a list of users from O365 tenant to add to LawToolBox as a user with the correct exchange name, email SMTP and UPN addresses.  (Can be revoked to allow manual tying instead)

Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.

This is a permission requested to access your data in Contoso.



13. Send mail as you  
We use this sending emails as the user to develop a function to send reports from LawToolBox as the user. This can be removed without deprecating any major function.

Allows the app to send mail as users in the organization.

This is a permission requested to access your data in Contoso.


14. Have full access to your files 
We read files from Teams, Groups and OneDrive for meetings. This feature is used to suggest linking the right files or folders to deadlines that are associated with the Microsoft Team or SharePoint group for the matter (if you revoke it will prevent LTB from listing matter files in our apps to manually copy and paste hyperlinks)

Allows the app to read, create, update and delete the signed-in user's files.

This is a permission requested to access your data in Contoso.


15. Read and write all OneNote notebooks that you can access 
Users can write any notes to OneNote from LawToolBox interface.

Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization.

This is a permission requested to access your data in Contoso.



16. Read and create your online meetings 
Necessary to create meetings for Microsoft Teams and Outlook.

Allows the app to read and create online meetings on behalf of the signed-in user.

This is a permission requested to access your data in Contoso.


17. Read your relevant people list  
People API access. Revoking this will depreciate suggest recent contacts to add to meetings or contacts to a matter.

Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype).

This is a permission requested to access your data in Contoso.





NOTE: Some permissions can not be revoked. If certain permissions are revoked, it will deprecate functions of LawToolBox and will limit the functionality for the users.


_________________________________________________________________

Enterprise Permissions Explained



Enterprise-level permissions allow users to exceeds 250 groups limit for Microsoft 365 and make it unlimited. These permissions provide a more seamless user experience for auditing and self-troubleshooting.  


Each permission is explained in detail here: 

Application Information for LawToolBox by LawToolBox.com,Inc. - Microsoft 365 App Certification | Microsoft Learn

 

Examples of how application permissions are used and enhance user and admin experience:

Editor rights: When our deadlines move, the original entry gets “Cancelled”

  • deadlines move all the time and the volume of canceled events depends on each client
  • enterprise application permissions allow an admin to automatically clean up the user calendar and move the “Canceled” entry to deleted and maintain the calendar with active events only
  • one alternative is an Outlook calendar filter (outlook desktop client) to hide the entries marked as canceled. This has to be done for each individual user


Audit tool: LawToolBox manages deadlines through a group calendar.

  • The group calendar is responsible for adding the events to owner/member users of that group
  • Enterprise permissions allow LawToolBox to audit the personal calendars against the group calendar and catch any discrepancies when needed. 
  • Alternatively, we do not have visibility to the user calendars and our error logs provide less information


Group limits:

  • Microsoft limits non-admin users to 250 groups in your tenant.
  • When a LawToolBox matter is created, it creates an M365 group. Therefore if one user does all the calendaring and matter setup, you may reach the Microsoft non-GA cap of 250