Log inApply for Beta
Back to home
Integration · Microsoft 365

Microsoft 365

TAO plugs into Microsoft 365 through Microsoft Entra ID using delegated OAuth 2.0 and OpenID Connect, so every action runs in the signed-in user's context — never silently as the org. We request the smallest set of Microsoft Graph permissions our features need, have completed Publisher Verification, and follow the Microsoft 365 App Compliance Program. Admins keep full control over consent, conditional access, and revocation.

Apply for Beta All data & permissions

How the connection works

OAuth 2.0 + OpenID Connect against Microsoft Entra ID. TAO is a registered multi-tenant app with a verified publisher domain and a Partner One ID. Sign-in uses delegated permissions (on behalf of a user) with PKCE; high-impact scopes like Files.Read.All require tenant admin consent before users can grant them.

Scopes TAO requests

We request only the scopes the connected features actually use. Each scope, why we ask for it, and which tier it sits in for Microsoft 365:

ScopeTierWhat it's for
openiddelegatedSign the user in via OpenID Connect
offline_accessdelegatedIssue a refresh token so the session survives the browser
User.ReaddelegatedRead the signed-in user's basic profile
Mail.ReaddelegatedRead Outlook mail to surface email context against TAO records
Calendars.ReaddelegatedRead Outlook calendar events for the TAO calendar and Andy brief
Contacts.ReaddelegatedRead Outlook contacts into TAO's contact graph
Files.Read.Alladmin-consent-requiredRead OneDrive and SharePoint file metadata and bodies the user can already access

What TAO accesses

The connected features read specific Microsoft 365 data — and only what's needed for the operational record visible inside TAO.

  • Email subject, sender, recipients, and body excerpts to link Outlook threads to TAO records
  • Calendar events, attendees, and availability to drive the TAO calendar and daily brief
  • Contact names, emails, phone numbers, and organisations for TAO's contact graph
  • OneDrive and SharePoint file metadata to attach documents to jobs, quotes, and contacts

What TAO never does with this data

Some commitments are easier to read as a list.

  • We do not train generative or machine-learning models on your Microsoft 365 content
  • We do not sell, rent, or transfer your data to third parties or data brokers
  • We do not use your mail or calendar data for advertising or audience profiling
  • We do not request application (app-only) permissions that would let TAO act silently as your tenant
  • We do not retain full file bodies beyond the cache window needed to render the requested action

Use of data — disclosure

TAO accesses Microsoft 365 data only to provide or improve user-facing features that are visible in TAO's interface. We use delegated permissions, never application permissions, so TAO can only see data the signed-in user can already see. We don't transfer Microsoft 365 data outside TAO except where the user has explicitly initiated the transfer, where a security investigation requires it, or where law compels it. We don't allow humans to read your messages, calendar items, contacts, or files without your specific consent.

OAuth consent screen + listing

The exact configuration TAO submits to Microsoft 365 for every customer connection — keep this aligned with the public site for reviewers and consent dialogs.

  • Publisher name = The Artificial Organisation, displayed with the verified blue badge
  • Publisher domain = theartificialorganisation.com, DNS-verified inside our Entra tenant
  • Privacy statement URL = https://theartificialorganisation.com/privacy
  • Terms of service URL = https://theartificialorganisation.com/terms
  • Permissions list shows the Graph scopes above in plain language at consent time
  • Admin consent flow available for tenants that lock down user-level consent

Verification + review path

TAO has completed Microsoft Publisher Verification (Partner One ID linked, publisher domain DNS-verified, MFA-protected admin account) and Publisher Attestation under the Microsoft 365 App Compliance Program, which is re-attested every twelve months. Microsoft 365 Certification — the higher tier with third-party technical validation — is on the roadmap and pursued as the integration scales into regulated enterprise tenants.

How to disconnect

Open https://myaccount.microsoft.com under My Apps, hover the TAO tile, choose Manage your application, then Revoke Permissions. Administrators can revoke for an entire tenant from Entra admin center → Enterprise applications → TAO → Permissions. Inside TAO, Settings → Integrations → Microsoft 365 → Disconnect calls the Graph revoke endpoint and purges cached Microsoft data within 24 hours.

Reference: Microsoft 365 developer documentation

Canonical Microsoft 365 reference: https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview

See also the full Data & Permissions page for the side-by-side comparison across all providers TAO connects to, and the Privacy Policy for retention, deletion, and your rights.

You might also want

Google WorkspaceGmail, Calendar, Contacts, Drive — through reviewed OAuth.XeroSMB accounting on granular OAuth scopes.

Want to see this running on the apps you already use? Apply for the beta, or tell us what your team is trying to run from one place.

Apply for Beta All data & permissions
Sign inApply for Beta