I need some simple layman explanation

Hi,

I am involved with an implementation of an epm system that is integrated into sharepoint M365 and I started reading on its manual on the setting it up for the first time.  I know the steps but I wish to get some simple understanding of why the steps are needed since I am not a very technical person.

The tool involves the deployment of an addin in Microsoft word (both web and desktop app).

The manual said the addin app can be installed by the user directly from app store or being deployed by the M365 administrator to group of users...but in the section for M365 administrator to deploy this addin app, it said that permission needs to be granted to the app.  The permissions are:

• openid
• profile
• sites.selected
• user.read

So why is it ok to let user install directly (without any instruction to set permissions) but when M365 administrator do it, it suddenly needs the given permission?

In addition, the manual said to run a powershell script in order to grant permission to the sharepoint site created for the epm system integration.  it wrote that sharepoint admin must have Microsoft graph powershell SDK installed and run the script being signed in as site owner.  What is this powershell script that it needs special installation to run?

Then something mention that when deploying the addin to a group of users, there is a step to run a manifest script.  This step might need to be re-execute if there is changes in the addin development.  What is this Manifest meant for in Sharepoint?  What does it do?

Thank you in advance.