Outlook Pro is designed with security as a priority, following the principle of least privilege.
Outlook Pro uses delegated permissions only - the app acts on behalf of the signed-in user, never as an administrator.
| Aspect | Implementation |
|---|---|
| Protocol | OAuth 2.0 Authorization Code Flow |
| Identity Provider | Microsoft Entra ID (Azure AD) |
| Permission Type | Delegated only |
| Token Lifetime | Access: 1 hour, Refresh: 90 days |
Personal mailbox:
| Permission | Purpose |
|---|---|
Mail.ReadWrite |
Create drafts, read emails |
Mail.Send |
Send emails |
offline_access |
Obtain refresh tokens |
User.Read |
Read user profile for identification |
Shared mailbox (additional):
| Permission | Purpose |
|---|---|
Mail.ReadWrite.Shared |
Create drafts in shared mailbox |
Mail.Send.Shared |
Send from shared mailbox |
Note: All permissions are delegated. Users authorize their own accounts.
All OAuth tokens are encrypted before storage:
- Algorithm: Fernet (AES-128-CBC with HMAC)
- Key: Derived from Odoo database UUID
- Storage: Encrypted in PostgreSQL
- Access tokens are short-lived (1 hour)
- Refresh tokens are automatically rotated
- Tokens are never logged or exposed in error messages
- Tokens are cleared on disconnect
For shared mailboxes:
- Each user authenticates with their own Microsoft account
- Users need SendAs permission granted in Microsoft 365
- No shared credentials or service accounts
User → Odoo → Microsoft Graph API → Microsoft 365
↑
OAuth Token
(encrypted)
- User initiates action in Odoo
- Odoo retrieves encrypted token
- Token decrypted in memory
- API call made to Microsoft Graph
- Response processed in Odoo
All email operations are logged:
- Sent emails tracked with Microsoft message ID
- Sync operations logged with
[Incoming Mail]tag - API errors logged with
[Graph API]tag
- GDPR: User data processed per Microsoft's data processing terms
- Data residency: Determined by Microsoft 365 tenant configuration
- Odoo data: Stored in your Odoo database location