Microsoft Graph Permissions
When you connect InLoox to Microsoft 365, InLoox requests a set of Microsoft Graph API permissions that are required to power the various integration features — such as email tracking, calendar synchronization, OneDrive and SharePoint document storage, Teams notifications, and contact lookup.
Most permissions listed here are configured per user in the Integration Center — each user connects their own Microsoft 365 account and grants the permissions relevant to the features they use. You can grant or revoke individual permissions at any time.
There are two exceptions that are configured organization-wide by an account administrator in the Integration section of the Account Settings, rather than per user:
Calendars.ReadBasic.All— required for displaying calendar busy information in the workload view.User.Read.All— required for contact synchronization with Microsoft 365.
Some permissions are marked as Admin consent required. These permissions can only be granted by a Microsoft 365 administrator for your entire organization. Contact your IT administrator if you need these permissions enabled.
User.Read.All and Calendars.ReadBasic.All are application-type permissions configured in the Account Settings by an administrator. They are not granted by default and require explicit admin consent.
Permission Reference
| Permission name | Type | Description | Admin consent required | Used for |
|---|---|---|---|---|
Calendars.Read.Shared | Delegated | Read user and shared calendars | No | Reading shared or delegated Outlook calendars — required when users access calendars that are shared with them by colleagues, e.g. for time tracking |
Calendars.ReadBasic.All | Application | Read basic details of calendars in all mailboxes | Yes | Looking up availability and basic calendar information across all mailboxes in the organization — used for resource workload analysis integrating user's calendars |
Calendars.ReadWrite | Delegated | Have full access to user calendars | No | Creating and updating Outlook calendar entries from InLoox tasks, and synchronizing task changes back to the calendar |
Calendars.ReadWrite.Shared | Delegated | Read and write user and shared calendars | No | Reading and updating shared or delegated Outlook calendars on behalf of the signed-in user, e.g. for categorizing / labelling tracked appointments |
Contacts.Read | Delegated | Read user contacts | No | Looking up contacts from the user's personal Outlook address book, e.g. when inviting people to the account |
Contacts.Read.Shared | Delegated | Read user and shared contacts | No | Looking up contacts from shared or delegated contact folders, e.g. when inviting people to the account — used when contacts are maintained in a shared mailbox or delegated contact list |
email | Delegated | View users' email address | No | Retrieving the signed-in user's email address as part of the Microsoft 365 sign-in process — required for using Microsoft login |
Files.ReadWrite.All | Delegated | Have full access to all files user can access | No | Accessing, uploading, and managing files in SharePoint document libraries that the user has access to, e.g. for uploading and retrieving documents into / from the project storage |
Group.Read.All | Delegated | Read all groups | Yes | Reading Microsoft 365 group memberships — required to list Teams channels and SharePoint sites associated with groups in your organization, e.g. for importing Planner plans |
Mail.Read | Delegated | Read user mail | No | Displaying the user's Outlook inbox in InLoox and reading emails to enable email tracking and project assignment |
Mail.ReadWrite | Delegated | Read and write access to user mail | No | Flagging emails, assigning the InLoox category to processed emails, and synchronizing email flags between Outlook and InLoox |
offline_access | Delegated | Maintain access to data you have given it access to | No | Keeping the Microsoft 365 connection active in the background so InLoox can synchronize data even when you are not actively using it — required for using Microsoft login |
openid | Delegated | Sign users in | No | Authenticating users via OpenID Connect as part of the Microsoft 365 sign-in flow — required for using Microsoft login |
profile | Delegated | View users' basic profile | No | Reading the signed-in user's basic Microsoft 365 profile information (name, display name) — required for using Microsoft login |
Sites.ReadWrite.All | Delegated | Edit or delete items in all site collections | No | Reading and writing files in SharePoint Online site collections — required for the SharePoint document storage integration |
Tasks.Read | Delegated | Read user's tasks and task lists | No | Reading tasks from Microsoft To Do and Planner, e.g. for importing Planner plans |
TeamsActivity.Send | Application | Send a teamwork activity to any user | Yes | Sending Microsoft Teams activity notifications to users — required to deliver in-Teams alerts, e.g. when tasks are assigned to a user |
User.Read | Delegated | Sign in and read user profile | No | Reading the signed-in user's Microsoft 365 profile to populate their InLoox profile and enable single sign-on, e.g. for importing and synchronizing contacts from your tenant into InLoox |
User.Read.All | Application | Read all users' full profiles | Yes | Reading full profile information for all users in the organization — required if you want InLoox to display complete Microsoft 365 profile data for all team members, not just the signed-in user, e.g. for importing and synchronizing contacts from your tenant into InLoox |