harmon.ie required permissions and app consent

This article applies to harmon.ie Desktop and to the new harmon.ie.

Using harmon.ie, your emails and documents remain on your Microsoft tenant. The harmon.ie app connects directly to your M365 tenant or SharePoint on-premises servicer. There is no harmon.ie backend/server components.

Features in harmon.ie require consent to ensure fully secure and compliant usage.

During the download of harmon.ie desktop from our web site, you will be prompted to Accept the requested permissions. When the consent is accepted by a Microsoft 365 admin, it can be done once for all harmon.ie users. If the user that downloads harmon.ie isn't an M365 admin, they can accept the permissions for themselves, if the company policy allows them to do so.

For the new harmon.ie, consent is requested when launching the app for the first time.

Security note: harmon.ie only asks for delegated permissions, and not for application permissions. The effective permissions are the least privileged intersection of the delegated permissions harmon.ie has been granted (through consent) and the privileges of the currently signed-in user. harmon.ie cannot have more privileges than the signed-in user. As a result, harmon.ie users can never access SharePoint content they are not authorized to view. For more information, read Permissions and consent in the Azure Active Directory v1.0 endpoint.

What are the requested permissions and why are they required?

harmon.ie uses Microsoft Entra ID permissions and consent.

Here are the requested permissions in harmon.ie 10.x and the new harmon.ie, and why they are required:

• User.Read ‐ Sign in and read your user profile
• User.ReadBasic.All ‐ Read all users' basic profiles
• People.Read ‐ Read users' relevant people lists
• Files.ReadWrite.All ‐ Have full access to all files user can access
• MyFiles.Write ‐ Read and write user files
• Mail.Read ‐ Read user mail
• MailboxSettings.Read ‐ Read user mailbox settings
• Sites.ReadWrite.All ‐ Edit or delete items in all site collections
• Team.ReadBasic.All ‐ Read the names and descriptions of teams, on your behalf
• Channel.ReadBasic.All ‐ Read the names and descriptions of channels, on your behalf
• ChannelMessage.Send ‐ Send channel messages
• Chat.Create ‐ Create chats
• Chat.ReadWrite ‐ Read and write user chat messages
• offline_access ‐ Maintain access to data you have given it access to

To verify that harmon.ie consent is properly configured:

To verify that harmon.ie's requested permissions are properly configured:

1. Open Azure Active Directory > Enterprise applications.
2. Search for "harmon.ie". These are the IDs of the different harmon.ie versions:
   • 494b5977-84cb-4268-931b-f43aeca3e2e3 (harmon.ie 10 or later)
   • 7442ddf4-dc0b-45b9-b34e-c12a12dd6db5 (harmon.ie 9.x)
   • 10301466-86cc-4cb9-9007-a23f1a4c5ac8 (harmon.ie 8.0-9.0)
3. Click the harmon.ie app and select Permissions.
4. Verify that all permissions are marked as granted.

What to do if harmon.ie download failed:

Your administrator might have disabled the option to authorize third-party apps the access to Microsoft 365. In this case, you may fail to download harmon.ie.

To authorize harmon.ie app's access to Microsoft 365, ask your administrator to do the following:

1. harmon.ie 10 or later: click this Consent link. This allows harmon.ie to access your recent Microsoft 365 documents and share to Teams.
2. harmon.ie 9.x: click this Consent link. This allows harmon.ie to access your recent Microsoft 365 documents.
3. Sign in with Global Admin credentials and click Accept.