Kairos Setup & Permissions
Table of Contents
- Security Overview
- Riva Integration
- Authentication Flows - API Connection Details
- Registration: First-Time Set Up and Admin Consent Flow
- Authentication: User Login
- User Application Usage with Third-Party Data Access
Appendix A: Entra ID Permissions
1. Security Overview
This document provides an overview of Kairos platform from a security perspective. It aims to provide an overview of the systems being accessed, the methods for accessing those systems, and the protection mechanisms in place for ensuring data security.
2. Riva Integration
To allow Kairos to access calendar data, customers need to set up a Riva Sync policy that syncs their Outlook calendar information into a database. Kairos will then be able to analyze meeting culture based on this data.
For more details please visit the Riva Cloud documentation.
3. Authentication Flows – API Connection Details
The table below details the different endpoints involved in the authentication process between Kairos and third parties (and their data API). Certain parts of the authentication flow are labelled with a number mapping to the API connection number in the table below.
Notes:
- Microsoft 365 Refresh Token TTLs are outside of Kairos's control (contact vendor) https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens
- Microsoft 365 Access Token TTL is configurable in Entra ID/Azure https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes
- Microsoft Team 'Application Permissions' require
https://learn.microsoft.com/en-us/graph/cloud-communication-online-meeting-application-access-policy - LearnWorlds Single Sign-On documentation https://www.learnworlds.dev/docs/api/58052c1c3066e-single-sign-on
4. Registration: First-Time Set Up and Admin Consent Flow
Notes:
- To use Kairos, admins need to create a new instance via the Kairos Registration application which will create the infrastructure needed for the new instance.
- Admins will receive email notification with all details about the newly created instance, like instance URL.
5. Authentication: User Login
The Kairos’ authentication flow directly uses the upstream Microsoft 365 identity provider to ensure that the application maintains a “password-less” architecture.
The "OpenID Connect Sign-in" flow's result is much more limited than the traditional "Auth Code Flow" or "Client Credentials Flow." The `response_type` is used only to retrieve an `IdToken`, a one-time exchange with Microsoft 365. There is no "access token" and there is no "refresh token.”
You can see the Microsoft details of this specific flow here, OpenID Connect (OIDC) on the Microsoft identity platform - Microsoft identity platform | Microsoft Learn
6. User Application Usage with Third-Party Data Access
Notes:
- The Client Credentials flow (CCF) grants access to the target resources at an application level. No refresh tokens are stored.
- For CCF, the application must be authorized by an organizational administrator through the “admin consent” flow.
- For Auth-Code flow (auth-code), individual users provide delegate-level permissions to their resources.
Appendix A: Entra ID Permissions
Kairos Application required permissions:
| Permissions | Permission Type | Description |
| offline_access | Delegated | Maintain access to data you have given it access to. (used also to get refresh token for service account) |
| Delegated |
Allows the app to read your users' primary email address |
|
| openid | Delegated | Allows the app to see basic user profile information. |
| profile | Delegated | Allows the app to see your users' basic profile. |
| User.Read | Delegated | Allows the app to read user profiles without a signed in user. |
| OnlineMeetings.ReadWrite | Delegated | Allows the app to read and create online meetings on behalf of the signed-in user. |
Notes:
- EWS.AccessAsUser.All allows access to the users’ mailboxes and calendar
- email, openid and profile permissions are needed for authentication purposes during user log in
- OnlineMeetings.ReadWrite, and User.Read are needed by users to support Microsoft Teams when using Riva Bookings
- offline_access is needed by users to get refresh token to access users’ mailboxes and calendars
List of Microsoft Exchange Online Application Scopes requested by Riva Sync
| Permissions | Permission Type | Description |
| User.Read.All | Application | To lookup "email addresses" to Microsoft mailbox. |
| User.Read | Delegated | Sign in and read the user profile. Part of the Azure App registration process. |
| Calendar.ReadWrite | Application | Used to synchronize calendar items; Depending on requirements can be limited to Mail.Read |
| Mail.ReadWrite | Application | Used to synchronize email items; Depending on requirements, can be limited to Mail.Read |
| Mail.Send | Application | Send mail as the user. |
| MailboxSettings.ReadWrite | Application | Read and write mailbox settings including Categories, Time Zone, and Work Hours. |
| Contacts.ReadWrite | Application | Used to synchronize contact items; Depending on requirements, can be limited to Contacts.Read |
| GroupMember.Read.All | Application | Expanding distribution lists to receive their members and for "User Gathering" process which read group memberships. |
Note: For Riva Cloud customers looking to adjust and limit scope access, please contact the Riva technical support team for guidance.