Orgwide Integration via Microsoft Graph
Enable organization-wide Microsoft 365 connectivity for Rox, allowing IT administrators to authorize Rox to securely access calendar and email data on behalf of all users within their Microsoft Entra
1) Scope of Integration
Use-case: Organization-wide connection to Microsoft 365 for calendar and email sync within Rox.
Supported data access:
Data Type
Purpose
Graph Permission (Application)
Mail - Read basic
Read access to email subject and email metadata in users’ mailboxes for syncing communications to Rox.
Mail.ReadBasic.all
Mail - Read
Read access to email content in users' mailboxes for syncing communications to Rox.
Mail.Read
Mail - Write
Write access to users' mailboxes and ability to send
Mail.ReadWrite, Mail.Send
Calendar - Read
Read access to users’ calendars for meeting insights and scheduling automation
Calendars.Read
Calendar - Write
Write access to users’ calendars for meeting insights and scheduling automation
Calendars.ReadWrite
Directory
Read-only access to basic directory information (users) for mapping and permission management
Directory.Read.All
Permission model: Application-level permissions (granted once by a Microsoft 365 tenant admin). No per-user consent required after setup. No delegated scopes are used for this integration.
Important Note
Since Microsoft does not allow admins to selectively choose permissions which they can consent to in the application permissions model, admins will have to consent to all permissions in the Authorization page to start with. As soon as the integration is set up in Rox, admins should go to the Entra portal and revoke the excess permissions.
For enhanced security measures, Rox suggests admins to first create mail-enabled security groups to control and restrict access. More details on this in step 8.
2) Components & Hosting Locations
Component
Vendor
Region
Rox Application Frontend
Vercel
United States
Rox Application Backend APIs
AWS
us-east-2 (Ohio, USA)
Microsoft Graph API
Microsoft
Global (per-tenant region)
Rox does not host or proxy any Microsoft infrastructure. Your Microsoft Entra tenant remains the authority for all authentication and access control.
3) Microsoft Entra (Azure AD) Application Details
Property
Description
App Type
Multitenant application using Microsoft Graph (Application permissions)
Protocol
OAuth 2.0 client credentials grant
Requested Graph Scopes (configurable)
Mail.BasicRead.All, Mail.Read , Mail.ReadWrite , Mail.Send , Calendars.Read, Calendars.ReadWrite, Directory.Read.All
Consent Model
Tenant admin consent (single approval for the entire organization)
Token Handling
Short-lived access tokens obtained via service-to-service authentication; no delegated tokens or user credentials are stored
Directory Objects Accessed
Users (read-only for mapping and sync control)
4) Integration Flow
A Microsoft 365 Global Admin or Privileged Role Administrator sets up a mail-enabled security group and ensures that Rox's tenant can only access the data of those users which will be using Rox.
Once the security group is set up, the admin connects the organization’s Microsoft tenant to Rox using Org-wide Integration.
The admin is redirected to Microsoft’s standard admin consent screen showing requested permissions.
Upon consent, Microsoft issues an application token to Rox for organization-level access.
Rox uses these application permissions to:
Sync calendar events bi-directionally between Outlook and Rox (for authorized users only)
Read and sync emails (for authorized users only) and optionally write emails
Maintain user directory mappings to match mailboxes and permissions
No per-user authentication is required. Rox respects organizational policies for mail and calendar data access.
5) Data Handling & Privacy
Category
Description
Data Accessed
Mail metadata, body, attachments (for synced users depending on permissions granted); calendar events; user directory data
Purpose
Enable Rox features such as timeline insights, communication tracking, meeting automation
PII Minimization
Only required attributes and content for syncing and user mapping are stored
Data Residency
Rox services are hosted in the United States (Vercel + AWS us-east-2)
Retention
Synced data is retained only for operational and feature purposes; deleted upon user or tenant disconnection
Deletion
Upon disconnection or data removal request, all synced data can be purged per Rox’s data lifecycle policies
6) Security Controls
Control
Detail
Transport Security
TLS 1.2+ for all communications between Rox, Microsoft Graph, and user browsers
Encryption at Rest
AES-256 or managed encryption via AWS and Vercel
Token Security
No persistent tokens stored; service tokens rotated and scoped
Access Control
Only Microsoft-granted app permissions; enforced by Microsoft Graph
Customer Governance
Admins can restrict or revoke Rox access via Enterprise Applications → Rox Orgwide Integration in Entra Admin Center
Auditability
All actions traceable via Rox logs and Microsoft Graph API audit logs
Least Privilege
Only the three required Graph scopes are used; no full directory write or global admin operations performed
7) Customer Action Checklist (IT / Admin)
Set-up a mail-enabled security group using the instructions in step 8.
Go to Rox UI and follow the instructions in step 9 to create the integration
Review and approve the Rox 365 Integration request through the Microsoft auth page.
Since Microsoft does not allow admins to selectively choose the permissions for consent, the admin must grant tenant-wide admin consent for the following scopes during the initial integration flow. They should go to Entra portal and revoke the extra permissions after this step:
Mail.BasicRead.AllMail.ReadMail.ReadWriteMail.SendCalendars.ReadCalendars.ReadWriteDirectory.Read.All
Verify that Rox appears under Enterprise Applications → Rox 365 Integration in your Entra portal.
Revoke the extra permissions that you do not want Rox to have.
Confirm that Conditional Access and other Microsoft security policies (e.g., MFA, IP restrictions) are applied as per your standards.
Optionally, configure user-level restrictions for email/calendar syncing in the Rox Admin Console.
8) Steps for setting up a mail-enabled security group (for IT Admins)
Connect to exchange online
Create the mail-enabled security group
3. Add members (the users whose data the app can access)
You can also use the group domain here to directly add all the members of a group.
4. Link Rox’s Client ID to that group
5. Verify
Result should be granted for an added member and denied for a non-member
9) Connection Steps in Rox (for IT Admins)
Go to https://run.rox.com/settings > Integrations
Click on the Connect button for Microsoft Enterprise
Configure the individual access for Calendar
Configure the individual access for Email. Add any restricted domains as well.
Add your tenant id from Microsoft Entra portal and the email IDs of the users you want to restrict the email access for
Click on Connect which will take you to the Microsoft Authorization page. Click on Accept
You will be redirected to the Rox application where you can see that the Microsoft Enterprise integration will be connected. The users will no longer be able to connect any of Google/Microsoft email and calendar separately.
Revoke any excess permissions in Entra
10) Summary
Aspect
Detail
Purpose
Organization-wide connection to Microsoft 365 for calendar and email sync
Permissions
Application permissions:
Mail.BasicRead.AllMail.ReadMail.ReadWriteMail.SendCalendars.ReadCalendars.ReadWriteDirectory.Read.All
Hosting
Vercel (US), AWS us-east-2 (US)
Data
Email, calendar, and user directory data synced securely and encrypted
Controls
OAuth 2.0 client credentials flow; no user credentials stored; admin consent required; least-privilege scope
Governance
Microsoft Entra remains authoritative; revocation and audit available anytime via Microsoft portal
Last updated