The Connect Your Email feature allows users to send workflow emails directly from their personal Gmail or Outlook accounts instead of through Tallyfy’s centralized system which improves deliverability and response rates by making emails appear more personal and trustworthy to recipients.
Microsoft Outlook email connection
This planned feature will connect your Microsoft 365 or Outlook.com account so Tallyfy can send workflow emails directly from your email address. We’ll use Microsoft Graph API with only the Mail.Send permission - just enough to send emails as you, without reading your inbox or accessing your calendar.
Here’s what makes this powerful: Microsoft Graph is the modern way to integrate with Microsoft 365. Unlike the old SMTP authentication that Microsoft is phasing out, Graph API uses secure OAuth tokens and respects all your organization’s security policies. Your IT team keeps full control while you get seamless email integration.
Tallyfy will register as an Azure AD application with Microsoft, requiring publisher verification. This one-time process establishes trust between Tallyfy and Microsoft’s identity platform.
The registration includes:
- Publisher verification: Confirms Tallyfy’s identity through our Microsoft Partner account
- App manifest configuration: Defines exactly what permissions we request
- Consent screen customization: Shows clear information about what users are authorizing
- Security compliance review: Documents our data handling practices
Microsoft’s requirements are straightforward for send-only permissions:
- No security assessment needed for
Mail.Sendscope - Standard verification takes 1-2 weeks
- Publisher verification requires valid Microsoft Partner ID
- Domain ownership must be verified
We’ll use delegated permissions, meaning users explicitly authorize Tallyfy to send on their behalf. This is more secure than application permissions which would let us send as anyone in your organization.
Delegated permissions (what we use):
- Each user authorizes individually
- Users see exactly what they’re granting
- Permissions tied to specific user accounts
- Can be revoked by users anytime
- Shows “sent on behalf of” in email headers
Application permissions (what we don’t use):
- Would require admin consent for entire organization
- Could send as any user without their knowledge
- Higher security risk
- More complex approval process
- Not necessary for our use case
The delegated model means you stay in control. You decide if and when to connect your account, and you can disconnect anytime.
Whether you need admin approval depends on your organization’s Azure AD settings. Microsoft 365 organizations fall into three categories:
Scenario 1: User consent allowed (most common)
- Default setting for many organizations
- Users can approve apps requesting basic permissions
- Connect your account in 2 minutes
- No IT involvement needed
Scenario 2: Admin consent required for new apps
- Organization requires admin review of new applications
- Admin gets notification when you try to connect
- One-time approval for entire organization
- After approval, all users can connect freely
Scenario 3: All third-party apps blocked
- Strictest security setting
- No apps allowed without explicit admin approval
- Requires security review and exception process
- May need business justification
We’ll detect your organization’s settings automatically and guide you through the appropriate process.
-
Access Azure AD Portal
- Sign in to portal.azure.com
- Navigate to Azure Active Directory → Enterprise applications
-
Add Tallyfy application
- Click “New application” → “Create your own application”
- Enter name: “Tallyfy Email Integration”
- Select “Integrate any other application”
-
Configure permissions
- Go to API permissions → Add permission
- Select Microsoft Graph → Delegated permissions
- Check only:
Mail.Send - Grant admin consent for organization
-
Set user assignment
- Choose who can use the app:
- All users (recommended)
- Specific groups (for phased rollout)
- Selected users (for testing)
- Choose who can use the app:
-
Configure consent settings
- Properties → User consent disabled (prevents consent fatigue)
- Or allow user consent for verified publishers
We provide admins with:
- Complete setup documentation with screenshots
- Our Azure AD application ID
- Security compliance certificates
- Technical support contact
- Rollback procedures if needed
Yes - Tallyfy respects all your conditional access policies. If your organization requires specific conditions for app access, we’ll comply:
Supported policies:
- Multi-factor authentication (MFA)
- Trusted device requirements
- Location-based restrictions
- Session lifetime limits
- Risk-based authentication
When a policy triggers:
- User attempts to connect account
- Azure AD evaluates policies
- Additional authentication requested if needed
- Once satisfied, connection proceeds
- Policies re-evaluated periodically
This means your security team can:
- Require MFA for Tallyfy connections
- Limit access to corporate devices
- Block connections from certain countries
- Force re-authentication every 30 days
Microsoft 365 has daily sending limits that apply to Graph API sends. These limits protect against spam and abuse:
Microsoft 365 Business/Enterprise:
- 10,000 recipients per day
- 500 recipients per message
- 30 messages per minute rate limit
Outlook.com (personal):
- 300 emails per day
- 100 recipients per message
- Lower rate limits
Exchange Online Protection adds:
- Reputation-based sending
- Automatic throttling if limits approached
- Temporary blocks for unusual activity
Don’t worry - workflow notifications rarely approach these limits. If you send 100 task notifications daily, you’re using just 1% of your quota. We’ll also implement intelligent batching to stay well within limits.
The initial release will support cloud-based Microsoft 365 and Outlook.com only. Exchange on-premises (self-hosted Exchange servers) requires different integration methods:
Why on-premises is different:
- No Azure AD for authentication
- Requires hybrid connectivity setup
- Graph API access needs special configuration
- Additional firewall considerations
Future on-premises support might include:
- Exchange Web Services (EWS) integration
- Hybrid modern authentication
- ADFS federation support
- Partner with your Exchange team for setup
If you use on-premises Exchange, let us know - we’re tracking demand for this capability.
Yes - every email sent through Graph API appears in your Sent Items folder. This maintains a complete audit trail:
- Full copy in Sent Items immediately
- Searchable through Outlook
- Subject to retention policies
- Included in backups
- Available for legal discovery
This also enables:
- Reply tracking from your sent folder
- Forward workflow emails to others
- Archive important notifications
- Apply categories and flags
- Include in email rules
Your existing Outlook features work normally with these emails.
Microsoft access tokens expire after 1 hour, but we handle refresh automatically. Here’s the lifecycle:
- Initial authorization: You sign in and grant permission
- Access token issued: Valid for 1 hour
- Refresh token provided: Valid for 90 days with activity
- Automatic refresh: We get new access tokens as needed
- Sliding window: Each use extends refresh token life
You don’t need to re-authenticate unless:
- You explicitly revoke access
- 90 days pass without any email sends
- Your organization’s policies force re-authentication
- Microsoft detects security concerns
The process is seamless - you connect once and forget about it.
The Microsoft integration includes enterprise security features:
Data residency:
- Emails processed in your Microsoft 365 region
- No data leaves your geography
- Complies with data sovereignty requirements
Audit logging:
- All API calls logged in Azure AD
- Sign-in events tracked
- Admin audit reports available
- Unusual activity alerts
Compliance standards:
- GDPR compliant data handling
- SOC 2 certification aligned
- HIPAA compatible (with BAA)
- ISO 27001 practices
Zero Trust compatibility:
- No standing permissions
- Just-in-time token access
- Continuous verification
- Least privilege principle
The connection works with Microsoft’s security ecosystem:
Microsoft Defender for Office 365:
- Scans outbound emails
- Applies anti-malware policies
- Checks for data loss prevention (DLP)
- Blocks suspicious content
Microsoft Purview:
- Information protection labels apply
- Retention policies enforced
- eDiscovery includes sent emails
- Compliance boundaries respected
Azure AD Identity Protection:
- Risk-based conditional access
- Unusual activity detection
- Automated response to threats
- User risk evaluation
These tools work transparently - your security policies apply to Tallyfy-sent emails just like regular emails.
“Need admin approval” message
- Your organization requires admin consent
- Click “Request approval” to notify admin
- Or share our pre-approval guide with IT
“AADSTS65001: User or admin has not consented”
- App needs to be added to your tenant
- Admin must grant consent first
- We’ll provide setup instructions
“Invalid client” error
- Usually a browser cache issue
- Try incognito/private browsing mode
- Clear cookies for login.microsoftonline.com
“Token expired” after connection
- Normal if unused for 90+ days
- Simply reconnect your account
- Takes 1 minute to reauthorize
Emails not appearing in Sent Items
- Check if Purview policies are archiving
- Verify retention policies aren’t deleting
- Confirm mailbox has sufficient storage
“SendAs permission denied”
- Trying to send from shared mailbox
- Only personal mailbox sending supported initially
- Shared mailbox support planned for future
Government cloud support is planned for a future release. Microsoft’s government clouds require additional compliance:
GCC (Government Community Cloud):
- Separate app registration required
- FedRAMP Moderate compliance needed
- Different Graph API endpoints
GCC High / DoD:
- ITAR compliance required
- Isolated environment registration
- Enhanced security review
If you’re in government cloud, contact us to join the priority list for this capability.
Connect Your Email > Google Workspace email connection
Google Workspace integration will enable sending workflow emails from user Gmail accounts through OAuth 2.0 with minimal permissions while maintaining security compliance and providing complete audit trails through standard Google consent processes.
Byo Ai > Microsoft Copilot integration
Microsoft 365 Copilot transforms into a workflow automation powerhouse when integrated with Tallyfy through API plugins and enterprise OAuth2 bringing full Microsoft ecosystem context including emails documents Teams conversations and SharePoint data directly into automated workflows while maintaining organizational security policies and compliance boundaries.
Tallyfy integrates Microsoft Teams workflows by transforming team communication into structured processes where workflows are triggered from messages completed in channels and tracked without leaving the Teams collaboration environment.
Was this helpful?
About Tallyfy
- 2025 Tallyfy, Inc.
- Privacy Policy
- Terms of Use
- Report Issue
- Trademarks