harmon.ie required permissions and app consent

This article applies to harmon.ie 365 and to the new harmon.ie.

In this article:

• Why does harmon.ie require app consent?
• When is consent requested?
• What are the requested permissions and why are they required?
• How to grant app consent to harmon.ie?
• How to verify that harmon.ie consent is properly configured?
• What to do if harmon.ie download failed?
• What to do if you can’t grant consent to harmon.ie?

Why does harmon.ie require app consent?

OAuth 2.0 is the authentication method used by Microsoft to allow 3rd-party apps to access M365 data.

The consent requirement in OAuth 2.0 for M365 is a fundamental aspect of ensuring that users maintain control over their data, that their privacy is protected, and that security and compliance standards are upheld.

harmon.ie 365 and the new harmon.ie are using the OAuth 2.0 authentication to connect with M365 on behalf of the app users, in order to view and work with M365 files that the user is authorized to see. This ensures fully secure and compliant usage.

For harmon.ie to work, an M365 administrator should grant consent to harmon.ie. This is done once for all users.

Security notes:

• Using harmon.ie, your emails and documents remain on your Microsoft tenant. The harmon.ie app connects directly to your M365 tenant or SharePoint on-premises servicer. Data never leaves your tenant.
• harmon.ie only asks for delegated permissions, and not for application permissions. The effective permissions are the least privileged intersection of the delegated permissions harmon.ie has been granted (through consent) and the privileges of the currently signed-in user. harmon.ie cannot have more privileges than the signed-in user. As a result, harmon.ie users can never access SharePoint content they are not authorized to view. For more information, read Permissions and consent in the Azure Active Directory v1.0 endpoint.

When is consent requested?

In harmon.ie 365 (desktop):

During the download of harmon.ie 365 from our web site, you will be prompted to Accept the requested permissions. When the consent is accepted by a Microsoft 365 admin, it can be done once for all harmon.ie users. If the user that downloads harmon.ie isn’t an M365 admin, they can accept the permissions for themselves, if the company policy allows them to do so.

In the new harmon.ie:

For the new harmon.ie, consent is requested when launching the app for the first time.

How to grant consent to harmon.ie?

To authorize harmon.ie app’s access to Microsoft 365, ask your M365 administrator to do the following:

1. harmon.ie 10 or later: click this Consent link. This allows harmon.ie to access your recent Microsoft 365 documents and share to Teams.
2. harmon.ie 9.x: click this Consent link. This allows harmon.ie to access your recent Microsoft 365 documents.
3. Sign in with Global Admin credentials and click Accept.

What are the requested permissions and why are they required?

harmon.ie uses Microsoft Entra ID permissions and consent.

Here are the requested permissions in harmon.ie 10.x and the new harmon.ie, and why they are required:

• User.Read ‐ Allows users to share content with people in Teams using harmon.ie.
• User.ReadBasic.All ‐ Allows users to share content with people in Teams using harmon.ie.
• People.Read ‐ Allows users to share content with people in Teams using harmon.ie.
• Files.ReadWrite.All ‐ Allows users to access their M365 files from harmon.ie.
• MyFiles.Write ‐ Allows users to access their OneDrive files from harmon.ie.
• Mail.Read ‐ Allows users to save emails to M365 with harmon.ie.
• MailboxSettings.Read ‐ Read user mailbox settings.
• Sites.ReadWrite.All ‐ Allows users to modify M365 files using harmon.ie.
• Team.ReadBasic.All ‐ Allows users to view their Teams in harmon.ie.
• Channel.ReadBasic.All ‐ Allows users to view their channels in harmon.ie.
• ChannelMessage.Send ‐ Allows users to use harmon.ie to post messages in the channel chat.
• Chat.Create ‐ Allows users to use harmon.ie to post messages in one-on-one or group chat.
• Chat.ReadWrite ‐ Allows harmon.ie to display files that were shared in chats and meetings.
• offline_access ‐ Allows users to access M365 data when offline.
• AllSites.Manage ‐ Allows users to discover and select the sites they want to view and access in harmon.ie.

How to verify that harmon.ie consent is properly configured?

To verify that harmon.ie’s requested permissions are properly configured:

1. Open Azure Active Directory > Enterprise applications.
2. Search for “harmon.ie”. These are the IDs of the different harmon.ie versions:
   • 494b5977-84cb-4268-931b-f43aeca3e2e3 (harmon.ie 10 or later)
   • 7442ddf4-dc0b-45b9-b34e-c12a12dd6db5 (harmon.ie 9.x)
   • 10301466-86cc-4cb9-9007-a23f1a4c5ac8 (harmon.ie 8.0-9.0)
3. Click the harmon.ie app and select Permissions.
4. Verify that all permissions are marked as granted.

What to do if harmon.ie download failed?

Your administrator might have disabled the option to authorize third-party apps the access to Microsoft 365. In this case, you may fail to download harmon.ie. Ask your M365 administrator to manually grant consent.

What to do if you can’t grant consent to harmon.ie?

If your company’s policy does not permit granting consent for 3rd party apps, or if you are working with SharePoint on-premises, you may install and use harmon.ie for SharePoint. This harmon.ie Classic edition uses a cookie-based authentication method to access your data, and it does not require consent. Note, however, that harmon.ie for SharePoint doesn’t include MS Teams integration as well as some other features, as these features are only available with the OAuth 2.0 authentication method. Visit harmon.ie product comparison table for more information.