Calamari needs to be installed by the Microsoft 365 / Azure AD admin. During the installation process, the admin will be prompted with the consent screen:
What are the required permissions?
Sign in and read the user profile
This permission allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
Read directory data
This permission allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.
This is a permission requested to access your data in Calamari
Allow the app to manage itself for all users
It allows a Teams app to read, install, upgrade, and uninstall itself to any user without a signed-in user.
Above mentioned points are the only common points required by Calamari integration with Microsoft 365 / Azure AD. From the users' perspective, the integration will have access to name, surname, e-mail address, and additionally avatar from Microsoft 365 / Azure AD domain.
Thanks to this, you can import users, and they can log in via SSO.