At monday.com, security is a top priority. We want to make sure you're confident when you build out your workflow with us. This article will answer questions about the security and IT implementation of the Outlook Integration.
Who is the developer for the Outlook Integration?
The developer of the Outlook Integration is monday.com.
The integration is between monday.com and Microsoft. Which environment does the integration run in?
The integration runs on monday.com servers. We get webhooks from Microsoft, perform logic on our end, and then make API calls to either fetch data from Microsoft or send emails or perform an action on monday.com such as creating an item or adding an update (depending on the integration).
What does monday.com use for authentication?
We use OAuth 2.0 protocol for authentication. Through OAuth 2.0, users can authorize specific scopes that the monday.com integration requires. After the user selects specific scopes, there is a handshake between Microsoft and monday.com servers to ensure that the transaction is secure.
The authorization results in Microsoft giving us an access token that we can use to make API calls on behalf of the authenticated user. We can only make API calls that are within the scope that the user authorized. Using API calls, monday.com can only access information that the user who initiated the authorization is permitted to do or view in the account and that is within the authorized scopes.
Where can I learn more about OAuth 2.0?
You can read more about standard OAuth 2.0 protocol here.
Does monday.com have access to my Outlook password?
At no point does monday.com have access to the authorizing user's password for Outlook. This information is never shared with us.
Why does monday.com require full read and write access permissions?
We understand why you would be concerned about giving any third-party app access to your entire account. That's why we want to provide some insight into why we request full read access permission.
Both read and write permissions are needed for the integration to function.
We ask for read and write permissions for emails. In order to allow outgoing emails, we need to have the ability to send emails. This requires write permissions. In order to receive emails, we need read permissions to pull the information into monday.com and display it for you.
How exactly does the integration work with these permissions?
When a user creates an incoming integration, we subscribe to get notified by Outlook of any emails that this user receives. Then, when an email is received, Outlook notifies us and provides us with the message ID but not with the message itself.
In order to proceed with the integration, the first thing we do is use the ID provided by Microsoft to fetch the message via the API. We only fetch messages from relevant inboxes, meaning we do not fetch those that are in inboxes like your Spam, Deleted, or Sent folders. Once we have the message, we proceed to run the integration and check the conditions you chose when setting up the integration. Based on those conditions, we either create an item or an update from the email.
What is the extent of the access given to monday.com with full read and write permissions? Is every email in the inbox read by monday.com?
Given permission, monday.com can only read messages within the inbox of the user who authorized the integration, and monday.com will only do so in one of two situations:
- The first situation is when the connection is first made. At that time, monday.com will fetch the last email received in your Outlook inbox to make sure the connection was made to a valid inbox. The intent is to check whether or not monday.com can successfully fetch an email. Nothing is done with the email and the email is not saved anywhere.
- The second situation is described in the answer to the previous question in this section. When a user sets up an integration for incoming emails and authorizes access, monday.com fetches emails from Microsoft when Microsoft sends a notification.
The integration is between monday.com and Microsoft. Is data accessed by any third parties?
No third party has access to data through this integration.
What security protocols are in place?
Oauth2 Protocol assures that we have a secure way to authorize and obtain an access token for the user who set up and authorized the integration. Microsoft also requires monday.com to send a secret random string. This is extra assurance for both Microsoft and monday.com that the requests that are made are from a trusted host. The token is saved in our secrets manager in AWS and is not accessible in any other way.
How can I set permissions limiting who has the ability to create an integration?
To set permissions limiting who can create integrations, visit our "How to set up account permissions" article.
How does the integration operate in terms of the transfer of data to and from monday.com and Outlook?
The integration communicates solely through the API; monday.com makes API calls to Microsoft Graph and receives notifications from Microsoft via our API.
How does the data storage work?
We store the access token in a secrets management tool called Vault. The authentication data (access token) that the tool stores is encrypted. The access token can only be accessed by requests for this specific user made from within our server.
Do "backups" exist?
No, we do not have a separate backup database for the vault authentication data.
How long does O365 related data persist inside monday.com?
There are various types of data related to the O365 application that persist:
- One-time check to ensure the connection is valid. This is a check done upon the creation of the connection (authentication) just to make sure that the Outlook email is valid. One message is fetched at random from the API to test whether we receive a valid response or an error. This message is not read or saved anywhere.
- Auth data (access token, refresh token, display name). This is the data used to access the API on behalf of the user. We get this data from Microsoft after completing the Oauth2 protocol if the user indeed authorized monday.com to access the API on their behalf. This data is stored in Vault, a secrets manager tool, and persists there unless the user requests to delete it. The authentication data expires after a short time and must be constantly refreshed to ensure the data and access are still valid. In addition, the user can always revoke the connection in their Microsoft account. See the last section of this article for more details on revoking the connection. When the connection is revoked, the authentication data that is saved with monday.com will no longer work as it will no longer be valid for accessing the API on the behalf of the user. This invalidation happens as a precaution by Microsoft in various other cases, such as password change, force logout, added MFA, etc.
- Any integration-related data. Any data that is involved in the integration, such as an email body or subject that the individual using the integration chooses to use when activating an integration recipe, is saved as data in their board in whatever way they choose to add it and will be saved in the databases for the corresponding board elements (i.e. item name, updates section, etc.) with monday.com until the information is deleted.
How do I revoke monday.com's access to my Outlook account?
If at any point you want to revoke monday.com's access to Outlook, you can do so. To revoke access, go to Outlook and review the third-party apps that have been granted access to your account. If you revoke monday.com's access, the token monday.com has saved will no longer work. From that point forward, monday.com will not be able to make API calls on your behalf. If monday.com tries to make a request after you revoke access, the request will fail because monday.com will no longer have a valid token.
If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.