To use Crelate to send emails and calendar invites on your behalf using Microsoft Office 365, several technical requirements must be met. This article explains those requirements, the permissions that Crelate requests and what those permissions are used for. The basic requirements are:
Firewall - Allow Crelate servers to connect to your Exchange Web Services endpoint.
Application - Allow the Crelate Application to access your Office 365 Tenant.
Permissions - Allow users to grant permission to their mailbox when requested.
Some organizations may block Exchange Web Service (EWS) access via IP restriction or Application ID restrictions. If your organization does this, please refer to this help article (Email Connection Troubleshooting) for details on granting access.
Certain Microsoft Office 365 environments may restrict access to Applications by ID. This may be done at the Exchange Web Service layer, or via Enterprise Application settings.
For Enterprise Application Settings and Conditional Access settings, please ensure your Administrator has configured to allow the Crelate Office 365 Application (ID: 8410d572-e055-48e5-b2c7-869538daf671) to be available for users in your organization. For more information on Conditional Access via this Microsoft KB article.
Refer to Email Connection Troubleshooting for information on Exchange Web Services and Microsoft Graph API requirements.
Crelate follows the best practice of least privileges and only requests the minimum level of permissions to enable the functionality supported by our application. The goal of the Crelate and Office 365 integration is to enable users to do the following actions:
Send email from the Crelate application, via workflows, automation, templates, or manual steps.
Add and update calendar invites directly to users' Calendar when sending invites from the Crelate application.
Refresh the users' access token, to prevent the need repeatedly log in multiple times a day.
All permissions are restricted to the individual users’ mailbox and are not organization-wide permissions.
The following table defines the permissions that users using our Office 365 connection will require.
Sign users in
Log the users in, this is required to use any other permissions.
View users’ basic profile
Access the users’ basic profile, this is required to use any other permission.
View users’ email address
Access the users’ email address, this is required to be able to send emails.
Maintain access to data you have given it access to
Refresh tokens and maintain access without frequent reauthentication. We follow Microsoft best practices and securely encrypt and store refresh tokens.
Read and write access to user email
Required to send emails on the users’ behalf. Crelate does not sync or read user email.
Send mail as a user
Send emails from Crelate via automation, or manual steps using optional templates.
Have full access to user calendars
Add, update, and remove calendar invites to the user’s calendar. Crelate does not read or access appointments that we do not create.
Organization’s administrators can revoke Crelate’s access at anytime via Enterprise Application settings.
For more information on Microsoft Graph Permissions view this article: https://docs.microsoft.com/en-us/graph/permissions-reference
If you need more on email or troubleshooting, check out our links below!