Connect Your Email lets each user send Tallyfy workflow notifications from their personal Gmail…
Microsoft Outlook email connection
When it’s ready, Tallyfy will send its workflow emails from your own Microsoft 365 or Outlook.com address, so the notifications come from you, not a generic Tallyfy address. Tallyfy will only get permission to send email as you. It won’t read your inbox, your calendar, or your contacts.
- Emails that come from you. Notifications send from your real address, so they look right to the people who get them and land better in their inboxes.
- A copy in your Sent Items. Every email Tallyfy sends shows up in your Outlook Sent Items, so it’s searchable, backed up, and there for any records you need. Your normal replies, forwarding, and rules all still work.
- Your company’s security, respected. It follows whatever sign-in rules your company already has, so nothing is bypassed.
At launch it works with Microsoft 365 (Business or Enterprise) and personal Outlook.com accounts. On-premises Exchange and government clouds will come in a later release.
Whether you can connect it yourself depends on your company’s Microsoft settings. In many companies you’ll just connect your own account in about a minute. In others, an IT admin approves Tallyfy once and then everyone can connect. Your IT team can find the setup steps under For your IT team.
Microsoft caps how many emails an account can send per day, and those caps apply here. Workflow notifications rarely get close - sending 100 task notifications a day uses about 1% of a Business plan’s daily limit. The exact numbers are under For your IT team.
Yes. Tallyfy only ever gets permission to send email as you, never to read your mail. You authorize it for your own account and can take that access away anytime. It honors your company’s sign-in rules, including a second sign-in step (multi-factor) if your security team requires it, and it renews its access quietly in the background so you don’t have to keep signing in. The integration is built to be GDPR, SOC 2, and HIPAA compatible. The full security and compliance detail is under For your IT team.
(Skip this unless you’re setting up the technical side.)
This planned integration uses Microsoft Graph API with only the Mail.Send permission - enough to send as the user, without reading their inbox or calendar. Graph API replaces SMTP authentication (which Microsoft is phasing out). It uses OAuth tokens and respects your organization’s security policies.
Tallyfy will register as a verified Azure AD application to establish trust with Microsoft’s identity platform.
The registration covers:
- Publisher verification - confirms Tallyfy’s identity via a Microsoft Partner account
- App manifest - defines exactly which permissions we request
- Consent screen - shows users what they’re authorizing
Microsoft’s requirements for Mail.Send:
- No security assessment needed
- Standard verification takes 1-2 weeks
- Publisher verification requires a valid Microsoft Partner ID
- Domain ownership must be verified
Tallyfy will use delegated permissions - each user authorizes sending on their behalf. This is safer than application permissions, which would let someone send as anyone in your organization.
Delegated (what Tallyfy uses) - each user authorizes individually, sees what they’re granting, and can revoke anytime.
Application (not used) - requires org-wide admin consent, could send as any user without their knowledge.
Whether you need admin approval depends on your Azure AD settings.
| Scenario | What happens |
|---|---|
| User consent allowed (most common) | You connect your account directly - no IT involvement |
| Admin consent required for new apps | Admin approves once, then all users can connect |
| All third-party apps blocked | Requires explicit admin approval and possible security review |
Tallyfy will detect your organization’s settings and guide you through the right flow.
-
Access Azure AD Portal
- Sign in to portal.azure.com
- Go to Azure Active Directory, then Enterprise applications
-
Add Tallyfy application
- Click “New application”, then “Create your own application”
- Enter name: “Tallyfy Email Integration”
- Select “Integrate any other application”
-
Configure permissions
- Go to API permissions, then Add permission
- Select Microsoft Graph, then Delegated permissions
- Check only:
Mail.Send - Grant admin consent for organization
-
Set user assignment
- Choose who can use the app:
- All users (recommended)
- Specific groups (for phased rollout)
- Selected users (for testing)
- Choose who can use the app:
-
Configure consent settings
- Properties, then disable user consent (prevents consent fatigue)
- Or allow user consent for verified publishers
Tallyfy will respect all your conditional access policies - MFA, trusted devices, location restrictions, session limits, and risk-based authentication.
Your security team can require MFA for Tallyfy, limit access to corporate devices, or force re-authentication on a schedule.
Microsoft 365 enforces daily sending limits that apply to Graph API sends.
| Plan | Recipients per day | Recipients per message | Rate limit |
|---|---|---|---|
| Microsoft 365 Business/Enterprise | 10,000 | 500 | 30 messages/minute |
| Outlook.com (personal) | 300 | 100 | Lower rate limits |
Workflow notifications rarely approach these limits. 100 task notifications daily uses about 1% of a Business plan quota.
The initial release supports cloud-based Microsoft 365 and Outlook.com only. On-premises Exchange needs hybrid connectivity and special Graph API configuration. Future support may include Exchange Web Services (EWS) and hybrid modern authentication.
Every email sent through Graph API appears in your Sent Items folder. It’s searchable in Outlook, subject to retention policies, included in backups, and available for legal discovery. Replies, forwarding, categories, and rules all work normally.
Microsoft access tokens expire after 1 hour, but Tallyfy handles refresh automatically. A refresh token (valid 90 days with activity) lets Tallyfy get new access tokens without your involvement. Each use extends the refresh token’s life.
You’ll only need to re-authenticate if you revoke access, 90 days pass without sends, your organization’s policies force it, or Microsoft detects a security concern.
The planned integration works with enterprise security features:
- Data residency - emails processed in your Microsoft 365 region
- Audit logging - API calls logged in Azure AD with sign-in tracking
- Compliance - GDPR, SOC 2, HIPAA compatible (with BAA)
- Zero Trust - no standing permissions, just-in-time token access, least privilege
Emails pass through Microsoft’s full security stack - Defender for Office 365 (outbound scanning, DLP), Purview (retention, eDiscovery), and Azure AD Identity Protection (risk-based access).
“Need admin approval” message
- Your organization requires admin consent
- Click “Request approval” to notify your admin
“AADSTS65001: User or admin has not consented”
- The app needs to be added to your tenant
- Admin must grant consent first
“Invalid client” error
- Usually a browser cache issue - try incognito mode
- Clear cookies for login.microsoftonline.com
“Token expired” after connection
- Normal if unused for 90+ days
- Reconnect your account (takes about a minute)
“SendAs permission denied”
- You’re trying to send from a shared mailbox
- Only personal mailbox sending is supported initially
GCC and GCC High support is planned for a later release. Government clouds need separate app registration, FedRAMP compliance, and different Graph API endpoints. GCC High / DoD adds ITAR requirements.
Connect Your Email > Google Workspace email connection
Tallyfy’s planned Google Workspace integration sends workflow emails from your own Gmail address…
Byo Ai > Microsoft Copilot integration
Connect Microsoft 365 Copilot to Tallyfy through API plugins and Azure AD OAuth2. Copilot reads…
Tallyfy connects with email through custom SMTP for branded notifications, a Gmail add-on for…
Was this helpful?
About Tallyfy
- 2026 Tallyfy, Inc.
- Privacy Policy
- Terms of Use
- Report Issue
- Trademarks