Siftrock O365 Authorization

Siftrock uses security best-practices when connecting to your marketing inbox. We will never ask you for a login or password to your O365 account. 

Access is granted via the O365 API via standard OAuth authorization.

In order to connect to your O365 inbox and pull in your replies, Siftrock needs the permission to:

  1. Sign you in and read your profile
  2. Read your mail
  3. Sign in as you
  4. Access your data anytime

Once you've connected an inbox, you can verify this configuration by finding Siftrock in your connected apps settings (location varies depending on which version of O365 and your specific user permissions).

These permissions are granted to Siftrock through 4 scopes. These 4 scopes give us what we need to continuously pull emails from your O365 inbox into Siftrock. Below, we outline the 4 scopes and what each scope is allowing us to do. 

  1. OpenId (Gives us the permission to sign you in and read your profile)
    1. OpenId gives us the ability to get access to a profile so we can tell what the email address is of the person connecting and associate it with the correct Siftrock account.
    2. A future (planned) feature allowing SSO login using your O365 account also requires this scope.
  2.  Offline_Access (Gives us the ability to access your data anytime)
    1. This gives us the ability to pull emails when you are not actively logged into Siftrock. Without this scope, we would only be able to pull emails from your inbox into your account when you were logged into Siftrock. Therefore, we need this scope in order to continuously pull emails from your inbox into Siftrock. 
  3. User.Read (Allows you to sign in as you)
    1. This scope also allows us to read a profile when we want to authenticate. It's important to note that this scope is limited to only a few data points, like email address and name. Siftrock does not have access to Active Directory, address books, or any other organizational data.
  4.  Mail.Read (Allows us to access your data anytime)
    1. This scope gives us read-only access to the emails in the inbox being authenticated. It's important to note that we can't send, we can only pull down emails from the inbox. 


Siftrock abides by the principle of least privilege. We are only authorized for the bare minimum required to read emails from a specific inbox continuously in order to keep your data up-to-date in real time. 

Siftrock does not require any scopes that would allow us to send on your behalf, read your address book or calendar, or interact with Active Directory.

For more information about scopes and authorization, please see the following Microsoft articles on these topics:

How did we do?