Ultimate Forms for Microsoft 365 requires various permissions to enable it to automate your business processes and access your business data.

Main Permissions Grant

When installed using our Wizard, a Global Adminstrator will be request and must grant application-level Full Control for the site collection. Therefore only Global Administrators are able to install the app.

The permissions are granted by the Infowise Ultimate Forms: Data Access enterpise app. The app will be added to your Entra ID automatically by the installer.

The app requests the following permissions:

Microsoft Graph

  • Directory.Read.All (application)- used by various functions to extract members of domain groups. For example, when sending an alert to a group, we will extract group member and email each.
  • Sites.FullControl.All (delegated) - used during installation only by administrator to grant app access to specific site collections.

Office 365 SharePoint Online

  • Sites.Selected (application) - provides granular access to SharePoint, for each requested site collection. This right is used in conjunctions with Sites.FullControl.All Graph permission, which actually register the particular site collection for the permission. Without this registration, the permission doesn't apply to any site collections.
  • TermStore.ReadWrite.All (application) - used by action to set value to managed metadata columns (in Read mode). Used by external forms to query term store and if allowed, add new values from the form (Read/write).
  • AllSites.Write (delegated) - used for basic level access to data, for read/write only, for non-administrators.
  • AllSites.FullControl (delegated) - used for adminisrative purposes, for example when saving settings via the app.

Additional Post-install Steps

Once the installation is complete, two additional steps must be performed. You will be provided with direct link both to perform the actions and to read the specific documentation articles:

  1. API Access permissions - provides access to various enterprise APIs, such as Microsoft Graph. These are used by the forms to access various resources. For example, managed metadata columns using these permissions to access the Term Store.
  2. Create an app principal - create a user for the data access enterprise app (required to respond to changes in SharePoint lists). This requirement is currently being gradually removed and at this point is only needed in some specific cases only.

Specific components of Ultimate Forms might require additional permissions to accomplish specific tasks.

Forms

Starting with version 1.4.0.0, no special configuration is any longer required if only Modern forms are used. 

For previous versions or when working with Classic forms:

  1. Custom scripting must be allowed in SharePoint Administration. We require this to be able to add management scripts to your forms and views.
  2. Some modern site add Deny permission for adding and modifying pages. This permission must be removed to enable form customization.

Actions

  • Print list items action requires Send access to all mailboxes on Exchange Online when set to deliver via email.  A Global Administrator must grant this permission when saving your first such action or via Global settings.
  • Manage Exchange action requires Write access to all event calendars on Exchange Online. A Global Administrator must grant this permission when saving your first such action or via Global settings.
  • Manage Active Directory action requires Read/Write access to your Azure Active Directory. A Global Administrator must grant this permission when saving your first such action or via Global settings.
  • Manage Teams action requires Read/Write access to your Microsoft Teams. A Global Administrator must grant this permission when saving your first such action or via Global settings.

These additional permissions are requested when first used. For example, when you create your first Manage Teams action, the app will request the permission upon saving the action.

Alerts

Alerts require Send and Write access to all mailboxes on Exchange Online. A Global Administrator needs to grant this permission through Alert Administration or Global settings. If the permission is not granted, alerts will still work in a reduced capacity.

End users are only allowed to select a pre-authorized mailbox as the sender account for an alert they are creating (they can also select their own mailbox). Site collection administrators manage the list of Authorized Senders, scoped to a site collection, under Alerts -> Administration, or globally.

Read access to Azure Active Directory is required to perform security trimming based on Azure AD groups. A Global Administrator needs to grant this permission through Alert Administration or via Global settings. If the permission is not granted, some recipients might not receive alerts if their permissions are granted through AD groups.

Import

Read and Write access to all mailboxes on Exchange Online is required if you configure import from O365 mailboxes. A Global Administrator needs to grant this permission when first such profile is configured or via Global settings.

Event Calendar

Read and Write access to all event calendars on Exchange Online is required if you configure Exchange as your calendar data source. A Global Administrator needs to grant this permission when first such profile is configured. Additionally, API access must be granted for the app in SharePoint Adminstration.

Print

When sending the print-out in email, Send permissions for the specific user's mailbox are required. The permissions are requested in real time through a pop-up window (make sure your pop-up blocker is disabled). The permission grant is cached for up to 6 months.

Note: For the Print Grant to work for users to perform the grant themselves instead of requesting an admin. The admin should setup Entra settings to permit your users to approve this grant the Grant pop-up.

  • Go to https://entra.microsoft.com
  • Under Enterprise Applications click on Consent and permissions.
  • Here make sure that you selected 2nd or 3rd option. If selecting the second one, make sure the following permissions are added as allowed:
    • Microsoft Graph: Mail.ReadWrite
    • Microsoft Graph: Mail.Send
    • Microsoft Graph: User.Read

The reason why we need Read/Write is because when we send attachments, we start by creating a draft, then attaching files to it, then sending. Creating a draft requires Write. After this, users will be able to grant on their own.

 


Also read these:
Last modified: 6/19/2025 5:20 PM
Loading...

Add your comment

Comments are not meant for support. If you experiencing an issue, please open a support request.
Reply to: from
Microsoft partner logo
© 2005-2025 Infowise Solutions Ltd. All rights reserved.
Privacy | Cookie Policy | Accessibility | Cloud SLA
What is right for you?
Our Environment
Not ready to install yet? Create a trial site in our environment
  • Full control of the site and its settings
  • Optionally pre-install one of our solution templates
  • Site provisioned instantly
  • Automatically removed after 30 days
  • Available to everyone!

Error!

There was an error processing your request.
Please contact us for further details.
Your Environment
Install in your own environment, in the cloud and on premises
  • Start working with real users and data
  • Install online or on premises
  • Register for 30 day trial
  • Seemlessly convert to paid license
  • Requires administrator permissions

Success!

Download link has been emailed to .
If you do not receive it within 5 minutes, please check your spam.
The link is valid for 72 hours.
If you are having problems, please contact us.

Error!

There was an error processing your request.
Please contact us for further details.
Technical details:
Request a Live Demo
Schedule an online demo with one of our implementation experts.
Discover and experience the wide range of capabilities and features, and have your questions answered in real time.