PPM Express Help Center

What do you need help with?

PPM Express Permissions Prerequisites

This article describes Permissions Prerequisites for different Connection Accounts that can be used in PPM Express.

Microsoft 365 Login Application 

If you authenticate to PPM Express using a Microsoft (Office) 365 account for the first time (new PPM Express tenant), you will be prompted to trust the Microsoft 365 Sign-in app. PPM Express is authenticated in Azure Active Directory through Azure AD Application with 'User.Read' permission that allows to sign in and read user profile. 

Permissions Prerequisites for different Connection Accounts that can be used in PPM Express:

In order to create synchronization between PPM Express and your Microsoft Office 365 Planner environment, you need the following: 

If you connect Planner to PPM Express, it is necessary to grant admin consent not only for the Office 365 Sign-in app but also for the PPM Express Office 365 Sync app that will be installed in the Enterprise Applications section of your Azure Tenant.

For more information refer to the Connection Account Requirements for Planner article.

PPM Express offers a restricted connection type for Planner, with a regular user account (limited access to Planner plans). 

If the connection is added using a regular account, no admin consent is granted, only those plans where the connection account is added as a member will be available for importing/linking. Also, the user must open the plan selected for linking in Planner at least once, otherwise, this plan will not appear in the list of available ones in PPM Express. This is an API limitation. 

The Planner groups are not available and it is not possible to create a new plan from PPM Express with this connection type. 

The following permissions are required:

  • Tasks.Read
  • Team.ReadBasic
  • All Channel.ReadBasic
  • All ChannelMessage.Send

Office 365 connection for Azure Active Directory for User and Resource synchronization

PPM Express offers a restricted connection type for Office 365. This type of connection still requires Admin consent, but it uses a limited set of permissions.

This kind of restricted connection can be used only for Azure Active Directory user and resource synchronization or resource import. Connection can be created only from the Import Resources page.  

The Office 365 groups are not available for synchronization with this connection type. Also, the Planner plans cannot be imported/linked to PPM Express using this connection type. Teams connection cannot be added. 

The following permissions are required:

  • User.Read.All
  • GroupMember.Read.All

Project Online

The account used to add a new connection should have Site Collection Administrator permissions on the PWA site. In the case of SharePoint Permission Mode: the account should be a member of the Administrators for the Project Web App group. In the case of Project Server Permission Mode: the account should be assigned to the Administrators security group.

Jira 

The Jira connection account should have both 'Access on site' and 'Jira Software' options enabled. This condition applies to projects of all types.
PPM Express: Jira Connection
Also, for projects of the Classic type, the account should have either one of the following roles: Trusted or Site Administrator:
PPM Express: Jira Connection
Or the connection account should be added to one of the default groups or a custom group with the following permission: Global Permission Administer Jira. This permission can be granted to a group of users in Jira.
PPM Express: Jira Connection

If you don't want to use an Admin account to add Jira connection, please select the 'Add a new restricted connection' option when adding it to PPM Express. In this case, users who are not members of the Admin group can add Jira connection to PPM Express. A restricted connection differs from the original one in the following way:

  • cross-project linking is not supported;
  • the settings for Field Mapping will need to be configured for each project individually by the project manager, as the issue type scheme for each Jira Project cannot be determined and the configuration cannot be saved and shared in PPM Express for projects synchronized using this connection type.

For Open Next-Gen projects, there are no additional requirements, the connection account should only have both 'Access on site' and 'Jira Software' options enabled. 

For Private Next-Gen projects, the connection account should have both 'Access on site' and 'Jira Software' options enabled and should be added to this project (at least as a viewer).

Azure DevOps

Since Personal Access Token (PAT) is required to add a new VSTS/Azure DevOps connection in PPM Express, it will be necessary to authorize the scope of access associated with that token. The following permissions are required:

  • Graph: read
  • Identity: read
  • Project and Team: read
  • Work Items: read

Project for the web 

1. The account should be a member/a user of the tenant and the Power Platform Environment where the Project for the web is deployed.

2. The account should have any of the following licenses assigned:

  • Project Plan P1.
  • Project Plan P3 (previously called Project Online Professional).
  • Project Plan P5 (previously called Project Online Premium).

Any of the following licenses is enough for read-only access to the Project for the web data: 

  • Microsoft 365 F3 and Office 365 F3
  • Office 365 E1
  • Microsoft 365 for business
  • Microsoft E3 and Office 365 E3
  • Microsoft E5 and Office 365 E5
  • Microsoft Power Automate 

3. The account should have Read-Write or Non-interactive Access Mode to the Power Platform Environment enabled.

4. Also, the account should have a security role in the Environment that allows reading all or personal Project for the web data (e.g. System Administrator (not required), Basic User, etc.).

5. The account should be a member of all projects in Project for the web (their Microsoft 365 groups) that need to be linked or imported. In case there are projects without associated groups, the account should be their creator or manager to be able to link them.

To connect to Project for the web for the first time, Microsoft 365 tenant Global Administrator consent is required to allow PPM Express to access your Microsoft 365 tenant.

Admin consent should be granted only once before adding the first Project for the web connection account. Once consent on behalf of the organization is granted, any user account credentials that meet the requirements can be used for connecting to the Project for the web environment.

PPM Express application for the Project for the web connection will be added to the Microsoft 365 tenant.

The following API permissions will be granted:

  • Microsoft Graph:  User.ReadBasic.All
  • Microsoft Graph:  offline_access
  • Dataverse (Common Data Service): user_impersonation

PPM Express will have the following permissions for reading data from the Project for the web:

  • Read all users' basic profiles.
  • Maintain access to data you have given it access to.
  • Access Common Data Service as organization users.

Monday.com

A personal API token is used for connection to the Monday.com environment. Boards will be available for linking depending on the account permissions on Monday.com:

All Boards of the Main type from all Workspaces, even if the connection account is not added as a member to the Board and Workspace;

All Sharable and Private Boards where the connection account is an Owner or added as a member.

An account with the Admin role is not required.

Smartsheet

1. The connection account should be a paid one and should be a Licensed User in Smartsheet. The Group Admin and System Admin Roles are not required. 

2. The account should have access to the necessary Smartsheet Sheets and their Workspaces that need to be linked and synchronized in PPM Express.

Smartsheet Sheets will be available for the linking and import depending on the connection account access level in Smartsheet – its roles in the Sheets and their Workspaces:

  • Those Workspaces are available in the dropdown list for selection where the connection account is added to the Shares with any role (Owner, Admin, Editor, Commenter, Viewer).
  • Those Sheets are available where the connection account is added to the Sheet Shares with any role (Owner, Admin, Editor, Commenter, Viewer), or to the Workspace Shares where the Sheets are located, with any role.
  • Personal and shared to the user Sheets, even if their Workspace(s) is not shared, are accessible and can be linked/imported within the Sheets folder. The Sheets directory is added to the Workspaces list and can be chosen if a Sheet from that folder needs to be linked. 

To connect to a Smartsheet account, PPM Express should be granted access to it, the PPM Express app should be authorized after the login.

PPM Express will have the following Read permissions in Smartsheet once the access is granted:

  • View basic user info, including name and email
  • Read sheets, including attachments and comments
  • Retrieve contacts
  • View account users, groups and group members
  • Read Dashboards 

Was this article helpful?

Table of contents

    Back To Top