engineering
Orgwide Integration via Microsoft Graph
Enable organization-wide Microsoft 365 connectivity for Rox, allowing IT administrators to authorize Rox to securely access calendar and email data on behalf of all users within their Microsoft Entra
1) Scope of Integration
Use-case: Organization-wide connection to Microsoft 365 for calendar and email sync within Rox.
Supported data access:
Data Type | Purpose | Graph Permission (Application) |
|---|---|---|
Mail - Read basic | Read access to email subject and email metadata in users’ mailboxes for syncing communications to Rox. |
|
Mail - Read | Read access to email content in users' mailboxes for syncing communications to Rox. | Mail.Read |
Mail - Write | Write access to users' mailboxes and ability to send | Mail.ReadWrite, Mail.Send |
Calendar - Read | Read access to users’ calendars for meeting insights and scheduling automation | Calendars.Read |
Calendar - Write | Write access to users’ calendars for meeting insights and scheduling automation | Calendars.ReadWrite |
Directory | Read-only access to basic directory information (users) for mapping and permission management | Directory.Read.All |
Permission model:
Application-level permissions (granted once by a Microsoft 365 tenant admin).
No per-user consent required after setup.
No delegated scopes are used for this integration.
Important Note
Since Microsoft does not allow admins to selectively choose permissions which they can consent to in the application permissions model, admins will have to consent to all permissions in the Authorization page to start with. As soon as the integration is set up in Rox, admins should go to the Entra portal and revoke the excess permissions.
For enhanced security measures, Rox suggests admins to first create mail-enabled security groups to control and restrict access. More details on this in step 8.
2) Components & Hosting Locations
Component | Vendor | Region |
|---|---|---|
Rox Application Frontend | Vercel | United States |
Rox Application Backend APIs | AWS | us-east-2 (Ohio, USA) |
Microsoft Graph API | Microsoft | Global (per-tenant region) |
Rox does not host or proxy any Microsoft infrastructure. Your Microsoft Entra tenant remains the authority for all authentication and access control.
3) Microsoft Entra (Azure AD) Application Details
Property | Description |
|---|---|
App Type | Multitenant application using Microsoft Graph (Application permissions) |
Protocol | OAuth 2.0 client credentials grant |
Requested Graph Scopes (configurable) |
|
Consent Model | Tenant admin consent (single approval for the entire organization) |
Token Handling | Short-lived access tokens obtained via service-to-service authentication; no delegated tokens or user credentials are stored |
Directory Objects Accessed | Users (read-only for mapping and sync control) |
4) Integration Flow
- A Microsoft 365 Global Admin or Privileged Role Administrator sets up a mail-enabled security group and ensures that Rox's tenant can only access the data of those users which will be using Rox.
- Once the security group is set up, the admin connects the organization’s Microsoft tenant to Rox using Org-wide Integration.
- The admin is redirected to Microsoft’s standard admin consent screen showing requested permissions.
- Upon consent, Microsoft issues an application token to Rox for organization-level access.
- Rox uses these application permissions to:
- Sync calendar events bi-directionally between Outlook and Rox (for authorized users only)
- Read and sync emails (for authorized users only) and optionally write emails
- Maintain user directory mappings to match mailboxes and permissions
- No per-user authentication is required. Rox respects organizational policies for mail and calendar data access.
5) Data Handling & Privacy
Category | Description |
|---|---|
Data Accessed | Mail metadata, body, attachments (for synced users depending on permissions granted); calendar events; user directory data |
Purpose | Enable Rox features such as timeline insights, communication tracking, meeting automation |
PII Minimization | Only required attributes and content for syncing and user mapping are stored |
Data Residency | Rox services are hosted in the United States (Vercel + AWS us-east-2) |
Retention | Synced data is retained only for operational and feature purposes; deleted upon user or tenant disconnection |
Deletion | Upon disconnection or data removal request, all synced data can be purged per Rox’s data lifecycle policies |
6) Security Controls
Control | Detail |
|---|---|
Transport Security | TLS 1.2+ for all communications between Rox, Microsoft Graph, and user browsers |
Encryption at Rest | AES-256 or managed encryption via AWS and Vercel |
Token Security | No persistent tokens stored; service tokens rotated and scoped |
Access Control | Only Microsoft-granted app permissions; enforced by Microsoft Graph |
Customer Governance | Admins can restrict or revoke Rox access via Enterprise Applications → Rox Orgwide Integration in Entra Admin Center |
Auditability | All actions traceable via Rox logs and Microsoft Graph API audit logs |
Least Privilege | Only the three required Graph scopes are used; no full directory write or global admin operations performed |
7) Customer Action Checklist (IT / Admin)
- Set-up a mail-enabled security group using the instructions in step 8.
- Go to Rox UI and follow the instructions in step 9 to create the integration
- Review and approve the Rox 365 Integration request through the Microsoft auth page.
- Since Microsoft does not allow admins to selectively choose the permissions for consent, the admin must grant tenant-wide admin consent for the following scopes during the initial integration flow. They should go to Entra portal and revoke the extra permissions after this step:
Mail.BasicRead.AllMail.ReadMail.ReadWriteMail.SendCalendars.ReadCalendars.ReadWriteDirectory.Read.All
- Verify that Rox appears under Enterprise Applications → Rox 365 Integration in your Entra portal.
- Revoke the extra permissions that you do not want Rox to have.
- Confirm that Conditional Access and other Microsoft security policies (e.g., MFA, IP restrictions) are applied as per your standards.
- Optionally, configure user-level restrictions for email/calendar syncing in the Rox Admin Console.
8) Steps for setting up a mail-enabled security group (for IT Admins)
- Connect to exchange online
Connect-ExchangeOnline -UserPrincipalName admin@domain.com
- Create the mail-enabled security group
New-DistributionGroup -Name "LimitedAppAccessGroup" -Type Security
3. Add members (the users whose data the app can access)
Add-DistributionGroupMember -Identity "LimitedAppAccessGroup" -Member user1@domain.com Add-DistributionGroupMember -Identity "LimitedAppAccessGroup" -Member user2@domain.com
You can also use the group domain here to directly add all the members of a group.
4. Link Rox’s Client ID to that group
New-ApplicationAccessPolicy ` -AppId "929e5802-e473-45d3-b032-44977407583c" ` -PolicyScopeGroupId "LimitedAppAccessGroup@domain.com" ` -AccessRight RestrictAccess ` -Description "Limit Graph Mail and Calendar access to specific users"
5. Verify
Test-ApplicationAccessPolicy ` -Identity user1@domain.com ` -AppId "<YOUR-APP-CLIENT-ID>"
Result should be granted for an added member and denied for a non-member
9) Connection Steps in Rox (for IT Admins)
- Go to https://run.rox.com/settings > Integrations
- Click on the Connect button for Microsoft Enterprise
- Configure the individual access for Calendar
- Configure the individual access for Email. Add any restricted domains as well.
- Add your tenant id from Microsoft Entra portal and the email IDs of the users you want to restrict the email access for
- Click on Connect which will take you to the Microsoft Authorization page. Click on Accept
- You will be redirected to the Rox application where you can see that the Microsoft Enterprise integration will be connected. The users will no longer be able to connect any of Google/Microsoft email and calendar separately.
- Revoke any excess permissions in Entra
10) Summary
Aspect | Detail |
|---|---|
Purpose | Organization-wide connection to Microsoft 365 for calendar and email sync |
Permissions | Application permissions:
|
Hosting | Vercel (US), AWS us-east-2 (US) |
Data | Email, calendar, and user directory data synced securely and encrypted |
Controls | OAuth 2.0 client credentials flow; no user credentials stored; admin consent required; least-privilege scope |
Governance | Microsoft Entra remains authoritative; revocation and audit available anytime via Microsoft portal |