# Microsoft Permissions

Rockhopper integrates with Microsoft 365 via Microsoft Entra ID (Azure AD) and the Microsoft Graph API. This page documents the exact permissions requested and explains why each is needed.

## Permissions requested

| Permission              | Type      | Why Rockhopper needs it                                                                                                     |
| ----------------------- | --------- | --------------------------------------------------------------------------------------------------------------------------- |
| **Files.Read.All**      | Delegated | Read files the user can access — used to detect changes to enrolled spreadsheets and download version snapshots             |
| **Files.ReadWrite.All** | Delegated | Read and write files the user can access — used to update files when reverting to a previous version or creating a copy     |
| **User.Read**           | Delegated | Read the signed-in user's profile — used to identify the user and display their name and email in Rockhopper                |
| **User.ReadBasic.All**  | Delegated | Read basic profile info for all users in the organization — used to show team member names and enable @mentions in comments |

All permissions are **delegated**, meaning they operate within the context of the signed-in user. Rockhopper can only access files and profiles that the user themselves already has access to in Microsoft 365.

## What Rockhopper does NOT access

| Category                       | Details                                                                                                    |
| ------------------------------ | ---------------------------------------------------------------------------------------------------------- |
| **Email and calendar**         | No access to mailboxes, calendars, or contacts                                                             |
| **Teams and chat**             | No access to Microsoft Teams messages, channels, or meetings                                               |
| **SharePoint lists and sites** | No access beyond OneDrive/SharePoint file storage                                                          |
| **Admin functions**            | No admin-level permissions — Rockhopper cannot modify tenant settings, user accounts, or security policies |

## How permissions are granted

During initial onboarding, a Microsoft 365 administrator grants consent for these permissions on behalf of the organization. This is a one-time process — see the [Microsoft 365 Onboarding](/it-setup/tenant-onboarding.md) guide for step-by-step instructions.

Individual users do not need to grant additional permissions. Once admin consent is provided, all users in the tenant can sign into Rockhopper and begin using the platform.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rockhopper.co/security-and-compliance/microsoft-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.