Office 365 application manifest

The application manifest, which stores information about the application, is found in the Azure Management Portal. The format of the manifest is JSON.

Applies to: Office 365

With the manifest, you can define the permissions that the app will expose and the scopes for Office 365 data. You can make these changes through the Portal.

To make modifications to the application manifest

  1. Log on to the Portal.

  2. View the application definition.

  3. Download the application manifest.

  4. Open the manifest and modify it according to the needs of the app.

Scopes

A scope is a combination of a resource or capability and an operation in the format resource.operation. For example, "MyFiles.Read" specifies the resource "MyFiles" and the operation "Read". Scopes are used to limit access to Office 365 data to a specific level in SharePoint, Exchange, and Microsoft Azure Active Directory. There are no default scopes. An app needs to either select them on the Portal or declare them in the application manifest. Scope information is stored in the app's application manifest.

Table 1. SharePoint scopes

ScopePermissionDescriptionRequires Admin Consent
MyFiles.WriteEdit or delete users' filesAllows the application to edit or delete current signed-in user's files.No
MyFiles.ReadRead users' filesAllows the application to read current signed-in user's files.No
AllSites.FullControlHave full control of all site collectionsAllows the application to have full control of all site collections on behalf of the current signed-in user.Yes
AllSites.ManageCreate or delete items and lists in all site collectionsAllows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user.Yes
AllSites.ReadRead items in all site collectionsAllows the application to read documents and list items in all site collections on behalf of the signed-in user.No
AllSites.WriteEdit items in all site collectionsAllows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user.No

Table 2. Exchange scopes

ScopePermissionDescriptionRequires Admin Consent
Contacts.WriteHave full access to users' contactsAllows the application to read, update, create and delete users' contacts.No
Contacts.ReadRead users' contactsAllows the application to read users' contacts.No
Calendar.WriteHave full access to users' calendarsAllows the application to read, update, create, and delete events in users' calendars.No
Calendar.ReadRead users' calendarsAllows the application to read events in users' calendars.No
Mail.SendSend mail as a userAllows the application to send messages as users in the organization.No
Mail.WriteRead and Write access to users' mailAllows the application to read, update, create, and delete messages in users' mailboxes.No
Mail.ReadRead users' mailAllows this application to read messages in users' mailboxes.No
user_impersonationHave full access to a users' mailboxAllows the application full access to mailboxes on behalf of users in the organization.
Note This scope is applicable to the EWS Managed API and Exchange Web Services (EWS) only. It does not apply to the Office 365 APIs.
Yes

Table 3. Microsoft Azure Active Directory scopes

ScopePermissionDescriptionRequires Admin Consent
UserProfile.ReadEnable sign-on and read users' profilesAllows the application to sign-on and read the user's personal profile.
Note Limited to the signed-on user’s personal profile data.
Yes
Access your organization's directoryAllows the application to access your organization's directory on behalf of the signed-in user.Yes
Directory.WriteRead and write directory dataAllows the application to read and write directory data.
Note Access rights are based on the user's permissions.
Yes
Directory.ReadRead directory dataAllows the application to only read the directory data.
Note Access rights are based on the user's permissions.
Yes

The following is an example of an application manifest.

{
     "applicationIdentityManifestVersion": "0.1",
     "objectId": "0ac9c84d-d299-4c67-9222-22a5ddccf7f2",
     "generalProperties":[
          {
               "displayName": "Adatum Travel App",
               "homepage": "https://adatum.com",
               "availableToOtherTenants": true
          }
     ]
     "authProtocols":[
          {
               "OAuth": [
                    {
                         "appId": "f5349996-f4ba-45d8-a28c-1912207c6244",
                         "publicClient": false,
                    }
               ],
               "SAML": [
                    {
                         "logoutUrl": "https://adatum.com/signout/",
                         "samlMetadataUrl": "https://adatum.com/metadata/",
                    }
               ],
               "identifierUrls": [
                    "https://adatumisv.onmicrosoft.com/supercool"
               ]
               "replyUrls": [
                    "https://goo.com",
                    "https://localhost:44307/"
               ]
               "errorUrl": "https://adatum.com/error/"
     ]
     "requiredResourceAccess": [],
     "appRoles": […],
     "appPermissions": […]
}

Additional resources