What permissions am I giving Drafted when I connect Microsoft?

Updated 3 weeks ago by Aubrie Przybysz

Drafted uses the Microsoft Graph API (v1.0) for Microsoft SSO

https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0

Drafted always asks for (mandatory) the following permissions:

offline_access, User.Basic

Drafted conditionally uses the following permissions:

Contacts.Read, Mail.Read, Mail.Send

When signing up, the default "checked" permission(s) are Contacts.Read

Why Drafted needs each permission:

offline_access - This allows Drafted to make requests on behalf of the user (that we have been given express permission for) in the background (like sending mail or syncing contacts) without the user needing to interact with the Drafted application. This is required in order to gain access to a refresh_token.

User.Basic - To get basic user information (name, email) of a user who signs up via an OAuth 2.0 signup flow provided by Microsoft. This is always required to use SSO as we need at least an e-mail address to identify someone.

Contacts.Read - If the user specifically allows, Drafted can read the user's contacts from their account in order to help build out the company graph network. The default is for this box to be checked during the signup flow.

Mail.Read - Many users don't use the contact feature in Outlook so we also, if given express permission via the Microsoft Graph API, will read the headers of the e-mails sent to the user's Inbox in order to help build out the company graph network. The user must explicitly check this box during the Drafted signup flow (or later via the "Connect Accounts") and the default value is for it to not be checked.

Mail.Send - If desired, we can send mail on behalf of a user through Drafted. The user has to separately allow Drafted to do this via a prompt on the "Connect Accounts" page in the Drafted application.


How did we do?