Microsoft Outlook email connection

How will Microsoft Outlook integration work?

Planned Feature

This feature isn’t available yet. The details below describe how it’ll work when released.

This planned feature connects your Microsoft 365 or Outlook.com account so Tallyfy sends workflow emails from your address. It’ll use Microsoft Graph API with only the Mail.Send permission - enough to send as you, without reading your inbox or calendar.

Graph API replaces SMTP authentication (which Microsoft is phasing out). It uses OAuth tokens and respects your organization’s security policies.

App registration

Tallyfy will register as a verified Azure AD application to establish trust with Microsoft’s identity platform.

The registration covers:

• Publisher verification - confirms Tallyfy’s identity via a Microsoft Partner account
• App manifest - defines exactly which permissions we request
• Consent screen - shows users what they’re authorizing

Microsoft’s requirements for Mail.Send:

• No security assessment needed
• Standard verification takes 1-2 weeks
• Publisher verification requires a valid Microsoft Partner ID
• Domain ownership must be verified

Avoiding restricted scopes

Tallyfy won’t request Mail.Read or Mail.ReadWrite. Those restricted scopes require expensive annual security assessments. Sticking to Mail.Send keeps things simple and secure.

Delegated vs application permissions

Tallyfy will use delegated permissions - each user authorizes sending on their behalf. This is safer than application permissions, which would let someone send as anyone in your organization.

Delegated (what Tallyfy uses) - each user authorizes individually, sees what they’re granting, and can revoke anytime.

Application (not used) - requires org-wide admin consent, could send as any user without their knowledge.

Admin consent requirements

Whether you need admin approval depends on your Azure AD settings.

Scenario	What happens
User consent allowed (most common)	You connect your account directly - no IT involvement
Admin consent required for new apps	Admin approves once, then all users can connect
All third-party apps blocked	Requires explicit admin approval and possible security review

Tallyfy will detect your organization’s settings and guide you through the right flow.

How IT admins pre-approve Tallyfy

1. Access Azure AD Portal

   • Sign in to portal.azure.com
   • Go to Azure Active Directory, then Enterprise applications

2. Add Tallyfy application

   • Click “New application”, then “Create your own application”
   • Enter name: “Tallyfy Email Integration”
   • Select “Integrate any other application”

3. Configure permissions

   • Go to API permissions, then Add permission
   • Select Microsoft Graph, then Delegated permissions
   • Check only: Mail.Send
   • Grant admin consent for organization

4. Set user assignment

   • Choose who can use the app:
     • All users (recommended)
     • Specific groups (for phased rollout)
     • Selected users (for testing)

5. Configure consent settings

   • Properties, then disable user consent (prevents consent fatigue)
   • Or allow user consent for verified publishers

Conditional access policies

Tallyfy will respect all your conditional access policies - MFA, trusted devices, location restrictions, session limits, and risk-based authentication.

Your security team can require MFA for Tallyfy, limit access to corporate devices, or force re-authentication on a schedule.

Email sending limits

Microsoft 365 enforces daily sending limits that apply to Graph API sends.

Plan	Recipients per day	Recipients per message	Rate limit
Microsoft 365 Business/Enterprise	10,000	500	30 messages/minute
Outlook.com (personal)	300	100	Lower rate limits

Workflow notifications rarely approach these limits. 100 task notifications daily uses about 1% of a Business plan quota.

Exchange on-premises

The initial release supports cloud-based Microsoft 365 and Outlook.com only. On-premises Exchange needs hybrid connectivity and special Graph API configuration. Future support may include Exchange Web Services (EWS) and hybrid modern authentication.

Sent items visibility

Every email sent through Graph API appears in your Sent Items folder. It’s searchable in Outlook, subject to retention policies, included in backups, and available for legal discovery. Replies, forwarding, categories, and rules all work normally.

Token refresh

Microsoft access tokens expire after 1 hour, but Tallyfy handles refresh automatically. A refresh token (valid 90 days with activity) lets Tallyfy get new access tokens without your involvement. Each use extends the refresh token’s life.

You’ll only need to re-authenticate if you revoke access, 90 days pass without sends, your organization’s policies force it, or Microsoft detects a security concern.

Security and compliance

The planned integration works with enterprise security features:

• Data residency - emails processed in your Microsoft 365 region
• Audit logging - API calls logged in Azure AD with sign-in tracking
• Compliance - GDPR, SOC 2, HIPAA compatible (with BAA)
• Zero Trust - no standing permissions, just-in-time token access, least privilege

Emails pass through Microsoft’s full security stack - Defender for Office 365 (outbound scanning, DLP), Purview (retention, eDiscovery), and Azure AD Identity Protection (risk-based access).

Troubleshooting common issues

“Need admin approval” message

• Your organization requires admin consent
• Click “Request approval” to notify your admin

“AADSTS65001: User or admin has not consented”

• The app needs to be added to your tenant
• Admin must grant consent first

“Invalid client” error

• Usually a browser cache issue - try incognito mode
• Clear cookies for login.microsoftonline.com

“Token expired” after connection

• Normal if unused for 90+ days
• Reconnect your account (takes about a minute)

“SendAs permission denied”

• You’re trying to send from a shared mailbox
• Only personal mailbox sending is supported initially

Government cloud support

GCC and GCC High support is planned for a later release. Government clouds need separate app registration, FedRAMP compliance, and different Graph API endpoints. GCC High / DoD adds ITAR requirements.

Related articles

Email > Connect your email

Connect Your Email is a planned Tallyfy feature that sends workflow emails from your personal Gmail or Outlook account for better deliverability and trust.

Connect Your Email > Google Workspace email connection

Google Workspace integration will let you send workflow emails from your Gmail account through OAuth 2.0 with minimal permissions and full audit trails.

Byo Ai > Microsoft Copilot integration

Microsoft 365 Copilot integrates with Tallyfy through API plugins and Azure AD OAuth2 authentication to bring email documents Teams conversations and SharePoint data into workflow automation while enforcing enterprise security policies like conditional access and data loss prevention through the Microsoft Graph API and optional Power Platform extensions.

Integrations > Email and SMTP

Tallyfy offers email integration options including custom SMTP for branded domain sending and a Gmail add-on that lets users launch processes and manage tasks directly from their inbox along with customizable notifications and upcoming features for interactive email actions and personal email account connections.

Was this helpful?

YesNo