This article will answer questions about the security and IT implementation of our Outlook Integration.
The Basics
How does the Outlook Integration access my Outlook inbox data?
The integration periodically fetches metadata for new emails in your inbox. We use this data to check if the sender or recipients of an email thread includes a member within your Aspire account.
For email threads that include a member, the integration fetches the associated email message content in order to display it to the Aspire user in their Aspire Inbox, as well as in the member activity feed view.
The integration does not fetch or store any email message content for any email threads that are not associated with a member of your account.
Additional safeguards are supported on the platform to restrict who can be added as a member (e.g. restricting any company email address from being added to a member).
Authentication
What does Aspire use for authentication?
We use OAuth 2.0 protocol for authentication. Through OAuth 2.0, users can authorize specific scopes that the Aspire integration requires. The authorization results in Microsoft giving us an access token that we can use to make API calls on behalf of the authenticated user. We can only make API calls that are within the scope that the user authorized. You can read more about standard OAuth 2.0 protocol here.
Does Aspire have access to my Outlook password?
At no point does Aspire have access to the authorizing user's password for Outlook. This information is never shared with us.
Permissions
Why does Aspire require read and write access permissions?
Both read and write permissions are needed for the integration to function. In order to allow outgoing emails, we need to have the ability to send emails. This requires write permissions. In order to receive emails, we need read permissions to pull the information into your Aspire account and display it for you.
For more information about the permissions we require, please see this document here.
How exactly does the integration work with these permissions?
When a user connects an Outlook email, we subscribe to get notified by Outlook of any emails that this user receives. Then, when an email is received, Outlook notifies us and provides us with the message ID but not with the message itself.
What security protocols are in place?
Oauth2 Protocol assures that we have a secure way to authorize and obtain an access token for the user who set up and authorized the integration.
Data storage
How does the integration operate in terms of the transfer of data to and from Aspire and Outlook?
The integration communicates solely through the API; Aspire makes API calls to Microsoft Graph and receives notifications from Microsoft via our API.
Revoking access
How do I revoke Aspire’s access to my Outlook account?
If at any point you wish to revoke Aspire’s access to Outlook, you can do so by following these steps:
Login into your Outlook account
Click on Edit next to the AspireIQ app, then click Remove