Orgwide Integration via Microsoft Graph
Enable organization-wide Microsoft 365 connectivity for Rox, allowing IT administrators to authorize Rox to securely access calendar and email data on behalf of all users within their Microsoft Entra
1) Scope of Integration
Use-case: Organization-wide connection to Microsoft 365 for calendar and email sync within Rox.
Supported data access:
Data Type
Purpose
Graph Permission (Application)
Read and write access to users’ mailboxes for syncing communications to Rox.
Mail.ReadWrite
Calendar
Read and write access to users’ calendars for meeting insights and scheduling automation
Calendars.ReadWrite
Directory
Read-only access to basic directory information (users) for mapping and permission management
Directory.Read.All
Permission model: Application-level permissions (granted once by a Microsoft 365 tenant admin). No per-user consent required after setup. No delegated scopes are used for this integration.
2) Components & Hosting Locations
Component
Vendor
Region
Rox Application Frontend
Vercel
United States
Rox Application Backend APIs
AWS
us-east-2 (Ohio, USA)
Microsoft Graph API
Microsoft
Global (per-tenant region)
Rox does not host or proxy any Microsoft infrastructure. Your Microsoft Entra tenant remains the authority for all authentication and access control.
3) Microsoft Entra (Azure AD) Application Details
Property
Description
App Type
Multitenant application using Microsoft Graph (Application permissions)
Protocol
OAuth 2.0 client credentials grant
Requested Graph Scopes
Mail.ReadWrite, Calendars.ReadWrite, Directory.Read.All
Consent Model
Tenant admin consent (single approval for the entire organization)
Token Handling
Short-lived access tokens obtained via service-to-service authentication; no delegated tokens or user credentials are stored
Directory Objects Accessed
Users (read-only for mapping and sync control)
4) Integration Flow
A Microsoft 365 Global Admin or Privileged Role Administrator connects the organization’s Microsoft tenant to Rox using Org-wide Integration.
The admin is redirected to Microsoft’s standard admin consent screen showing requested permissions.
Upon consent, Microsoft issues an application token to Rox for organization-level access.
Rox uses these application permissions to:
Sync calendar events bi-directionally between Outlook and Rox (for authorized users only)
Read and sync emails (for authorized users only) and optionally write emails
Maintain user directory mappings to match mailboxes and permissions
No per-user authentication is required. Rox respects organizational policies for mail and calendar data access.
5) Data Handling & Privacy
Category
Description
Data Accessed
Mail metadata, body, attachments (for synced users depending on permissions granted); calendar events; user directory data
Purpose
Enable Rox features such as timeline insights, communication tracking, meeting automation
PII Minimization
Only required attributes and content for syncing and user mapping are stored
Data Residency
Rox services are hosted in the United States (Vercel + AWS us-east-2)
Retention
Synced data is retained only for operational and feature purposes; deleted upon user or tenant disconnection
Deletion
Upon disconnection or data removal request, all synced data can be purged per Rox’s data lifecycle policies
6) Security Controls
Control
Detail
Transport Security
TLS 1.2+ for all communications between Rox, Microsoft Graph, and user browsers
Encryption at Rest
AES-256 or managed encryption via AWS and Vercel
Token Security
No persistent tokens stored; service tokens rotated and scoped
Access Control
Only Microsoft-granted app permissions; enforced by Microsoft Graph
Customer Governance
Admins can restrict or revoke Rox access via Enterprise Applications → Rox Orgwide Integration in Entra Admin Center
Auditability
All actions traceable via Rox logs and Microsoft Graph API audit logs
Least Privilege
Only the three required Graph scopes are used; no full directory write or global admin operations performed
7) Customer Action Checklist (IT / Admin)
Review and approve the Rox 365 Integration request within Microsoft Entra ID.
Grant tenant-wide admin consent for:
Mail.ReadWriteCalendars.ReadWriteDirectory.Read.All
Verify that Rox appears under Enterprise Applications → Rox 365 Integration in your Entra portal.
Confirm that Conditional Access and other Microsoft security policies (e.g., MFA, IP restrictions) are applied as per your standards.
Optionally, configure user-level restrictions for email/calendar syncing in the Rox Admin Console.
8) Connection Steps (for IT Admins)
Go to https://run.rox.com/settings > Integrations
Click on the Connect button for Microsoft Enterprise
Configure the individual access for Calendar and Email. Add any restricted domains as well.
Add your tenant id from Microsoft Entra portal and the email IDs of the users you want to restrict the email access for
Click on Connect which will take you to the Microsoft Authorization page. Click on Accept
You will be redirected to the Rox application where you can see that the Microsoft Enterprise integration will be connected. The users will no longer be able to connect any of Google/Microsoft email and calendar separately.
9) Summary
Aspect
Detail
Purpose
Organization-wide connection to Microsoft 365 for calendar and email sync
Permissions
Application permissions: Mail.ReadWrite, Calendars.ReadWrite, Directory.Read.All
Hosting
Vercel (US), AWS us-east-2 (US)
Data
Email, calendar, and user directory data synced securely and encrypted
Controls
OAuth 2.0 client credentials flow; no user credentials stored; admin consent required; least-privilege scope
Governance
Microsoft Entra remains authoritative; revocation and audit available anytime via Microsoft portal
Last updated