Skip to main content
Skip table of contents

Securing Outlook Email Integration

Securing Outlook Email Integration: Authentication, Permissions, and Data-Access Management

Security Overview

To ensure secure operations, Outlook email integration addresses authentication, permission scope, mailbox actions, data access, notifications and access revocation in the following way.

Authentication and Token Handling

The integration never handles or stores customer passwords or mailbox credentials.

When a customer grants access, Microsoft sends an authorization code to Conexiom. This code is exchanged (via OAuth 2.0) for access and refresh tokens that are used to call the Microsoft Graph API.

These tokens are encrypted and stored in our database and are used solely for authenticated, scoped access to the customer’s mailbox via Microsoft Graph.

Permission Scope and Mailbox Actions

Conexiom’s integration is effectively read‑only with one controlled exception: in a customer’s mailbox, it creates two dedicated categories and sorts each email into one category or the other. The categories are, “Sent to Conexiom” and “Not sent to Conexiom.” It then tags each email with the appropriate category name so that customers can clearly see which emails Conexiom handled.

Apart from adding these categories and tagging relevant emails, Conexiom does not send, delete, move, or modify email messages or mailbox configurations in any way.

Data Access, Notifications, and Filtering

When enabled, Conexiom acts as a passive listener: Microsoft Graph notifies Conexiom when a new email arrives in the subscribed mailbox.

Conexiom only retrieves message data for emails it is explicitly notified about; it does not continuously poll or scan the mailbox.

Only emails that pass the filters configured in the Portal settings are sent for processing. Once an email passes these filters, it flows through the standard Conexiom email ingestion, validation, and filtering pipeline; (which is the same logic used for email forwarding).

Emails that do not meet configured criteria are ignored, so are not ingested.

Access Revocation and Lifecycle

Access can be revoked at any time from either the Conexiom Portal settings page or by the customer’s administrator through the Microsoft 365 or Azure AD admin portal.

Revoking access removes the Microsoft Graph subscription used to receive new email notifications and the associated access and refresh tokens become invalid.

Once revoked, Conexiom no longer receives notifications. Nor can it access mailbox data via Microsoft Graph.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close