Overview
The Microsoft Teams Phish Alert Button (PAB) uses Microsoft Graph API permissions to access the information it needs to process and report suspicious messages. This article lists all the permissions the Teams PAB requests, explains what each permission is used for, and notes which ones are required versus optional.
Understanding these permissions helps your IT or security team make informed decisions about your organization's Teams PAB deployment.
Required Permissions
The following permissions are required for the Teams PAB to function. Without these permissions, the PAB can't report messages or send reports to your admins.
| Permission | Privilege Level | What It Does |
| User.Read | Low | Allows the PAB to read basic profile information about the signed-in Teams user. |
| profile | Low | Allows the PAB to access profile information about the signed-in Teams user. |
| openid | Low | Allows the PAB to authenticate using single sign-on (SSO). |
| Low | Adds email information to the native SSO token so the PAB can identify the user. | |
| Channel.ReadBasic.All | Low | Allows the PAB to read basic information about the Teams channel where the reported message was posted. |
| Mail.Send | Medium | Allows the PAB to send the report emails as the signed-in user. This permission covers emails up to 4 MB in size. |
| ChannelMessage.Read.All | Medium | Allows the PAB to read the content of the channel message or reported thread reply. |
| Chat.Read | Medium | Allows the PAB to read the content of the reported chat message. |
Default-Enabled Optional Permissions
The following permissions are included in the default PAB configuration but aren't strictly required. The permissions enable additional features like downloading file attachments and sending larger report emails. Your organization can choose to remove these permissions if they aren't needed.
| Permission | Privilege Level | What It Does | Notes |
| Mail.ReadWrite | High | Allows the PAB to create a draft in the user's mailbox and send report emails (copies of reported emails forwarded to your designated recipients) larger than 4 MB. | The PAB requires this permission only when report emails exceed 4 MB. If you remove this permission, the PAB can't deliver large attachments. |
| Files.Read.All | High | Allows the PAB to download file attachments that the user has access to and include them in the report. | Files.Read (without .All) can't access some attachment links in Teams chat. You need Files.Read.All for full attachment support. |
Optional Permissions (Not Enabled by Default)
The following permissions aren't included in the default configuration. Your organization can add them if you need the corresponding functionality.
| Permission | Privlege Level | What It Does |
| Team.ReadBasic.All | Low | Allows the PAB to read information about the teams the user is a member of. |
| ChatMessage.Send | Medium | Allows the PAB to set a reaction on a chat message as the user. |
| ChannelMessage.Send | Medium | Allows the PAB to set a reaction on a channel message as the user. |
| ChannelMember.Read.All | Medium | Allows the PAB to list all members of a given Teams channel. |
Frequently Asked Questions
Can I remove the high-privilege permissions like Mail.ReadWrite and Files.Read.All?
Yes, these permissions are optional. However, removing Mail.ReadWrite means the PAB can't send report emails larger than 4 MB, and removing Files.Read.All means file attachments may not be included in reports. Weigh the trade-offs before removing them.
Why does the PAB need Mail.Send instead of a server-side send?
The Teams PAB sends report emails as the signed-in user using delegated permissions. This approach keeps all Graph API requests contained within the client application and avoids the need for additional server-side permissions.
What happens if a required permission is missing?
If a required permission isn't granted, the Teams PAB won't be able to report messages. Users may see an error, or the report may fail silently. Make sure you've approved all required permissions in your Microsoft 365 admin center.
Does the PAB ever access data outside the signed-in user's scope?
No. All permissions are delegated. The PAB only accesses data that the signed-in user already has permission to see. It doesn't use application-level permissions that would allow access beyond the user's scope.