Microsoft 365 & Google OAuth Permissions
Why Comma Requests Access to Microsoft 365 or Google Workspace
Section titled “Why Comma Requests Access to Microsoft 365 or Google Workspace”When you connect Microsoft 365 or Google Workspace to Comma Compliance, you will see a permissions screen from Microsoft or Google asking you to grant access. This article explains exactly what we are asking for, why we need it, and how it directly enables your compliance archiving. We only request what we actually use.
Why We Use OAuth
Section titled “Why We Use OAuth”OAuth is a secure, industry-standard way to authorize third-party applications to access your organization’s data without sharing your password. When you click “Authorize,” you grant Comma Compliance permission to read specific data — and nothing more.
We use application-level, tenant-wide authorization with admin consent. This means:
- A single admin approves access once for the entire organization
- No individual users need to log in or approve anything separately
- Access is scoped to exactly what your selected tier requires
The Three Permission Tiers
Section titled “The Three Permission Tiers”Comma Compliance offers three levels of access. You only grant what your use case actually requires.
Tier 1 — Directory Access
Section titled “Tier 1 — Directory Access”The minimum level of access. We use it to sync your organization’s user list so that the platform knows who belongs to your team.
What this enables:
- Connect non-email communication channels such as WhatsApp and iMessage
- Manual contact matching — contacts are matched by hand rather than automatically
- Identity verification
What this does NOT include:
- Access to email content, contacts, or mailbox data of any kind
User profiles include email addresses as identifiers — we read these to match users to their Comma accounts, not to access email content.
Why we need these specific permissions:
| Permission | Microsoft Scope | Google Scope | Why we need it |
|---|---|---|---|
| Read all users’ full profiles | User.Read.All | admin.directory.user.readonly | To know who is on your team and create their Comma Compliance accounts |
| Organizational structure | Directory.Read.All | directory.readonly, admin.directory.customer.readonly | To sync your team’s user list. Note: Microsoft bundles groups and devices into this scope — we only use the user list. |
| Identity verification | openid, profile | userinfo.email, userinfo.profile | To confirm the identity of users authenticating with Comma Compliance |
| Maintain granted access | offline_access | (not applicable) | Allows Comma to maintain the connection without requiring re-authentication. The refresh token is stored securely and can be revoked at any time from your Microsoft admin console. |
Tier 2 — Contact Access
Section titled “Tier 2 — Contact Access”Best for teams who want to sync contacts from Microsoft 365 or Google Workspace into Comma Compliance.
What this enables:
- Everything in Directory Access
- Contact syncing from Microsoft 365 or Google Workspace
- Contact discovery from email participants (To, CC, BCC fields)
What this does NOT include:
- Sending email
- Modifying or deleting mailbox data
- Writing or modifying contacts
Note:
Mail.Readandgmail.readonlygrant read access to full email content. Comma uses these scopes only to extract contact information from email header fields — email body content is not stored or archived at this tier. Email archiving requires Tier 3.
Why we need these specific permissions:
| Permission | Microsoft Scope | Google Scope | Why we need it |
|---|---|---|---|
| Read user contacts | Contacts.Read | contacts.readonly | To sync contacts from your organization into Comma Compliance |
| Contact discovery from email | Mail.Read | gmail.readonly | To discover contacts from email header fields (To, CC, BCC). These scopes grant full email access — Comma reads headers only and does not store email body content at this tier. |
| Read all users’ full profiles | User.Read.All | admin.directory.user.readonly | Same as Tier 1 |
| Organizational structure | Directory.Read.All | directory.readonly, admin.directory.customer.readonly | Same as Tier 1 |
| Maintain granted access | offline_access | (not applicable) | Same as Tier 1 |
Tier 3 — Full Access
Section titled “Tier 3 — Full Access”Best for teams enabling email archiving for compliance. This tier is required when email archiving is enabled. Comma Compliance captures, stores, and indexes email content so that your organization meets regulatory retention requirements such as FINRA and SEC.
This tier grants read access to mailbox content and enables ingestion, storage, and indexing of email data for compliance purposes.
What this enables:
- Everything in Contact Access
- Email capture and archiving
- Compliance storage for Microsoft 365 or Google Workspace mail
Why we need these specific permissions:
| Permission | Microsoft Scope | Google Scope | Why we need it |
|---|---|---|---|
| Mail read | Mail.Read | gmail.readonly | To capture emails for compliance archiving — this is the core of email archiving |
| Read user contacts | Contacts.Read | contacts.readonly | Same as Tier 2 |
| Read all users’ full profiles | User.Read.All | admin.directory.user.readonly | Same as Tier 1 |
| Organizational structure | Directory.Read.All | directory.readonly, admin.directory.customer.readonly | Same as Tier 1 |
| Maintain granted access | offline_access | (not applicable) | Same as Tier 1 |
What We Never Do
Section titled “What We Never Do”Regardless of tier, Comma Compliance:
- Does not store or persist customer data outside of the configured compliance archive, except as required for transient processing to deliver the service
- Does not share customer data with third-party applications or integrations unless explicitly configured by an administrator. Data may be processed by trusted infrastructure providers as part of service delivery.
- Uses admin-approved, application-level access and does not require delegated user consent for core functionality
- Does not request permissions beyond those required for the selected access tier
Revoking Access
Section titled “Revoking Access”You can revoke Comma Compliance’s access at any time from your Microsoft or Google admin console. Revoking access will disconnect the integration and stop data syncing.
- Microsoft: Azure Active Directory → Enterprise Applications → Comma Compliance → Delete
- Google: Admin Console → Security → API Controls → Manage Third-Party App Access
For questions about data security and how your organization’s data is protected, see the Security and Data Protection page.