Clarification on Data Privacy and Email Access Scopes

During the setup of the Procore for Outlook add-in, IT Security or compliance offices may express concern over the broad permission language presented by the Microsoft 365 environment. The prompt appears to request access to the organization's entire email system, leading to questions about potential background access or data privacy risks.

Root Cause

The permission scopes shown during installation are standard boilerplate text provided by Microsoft for all add-ins utilizing the Mailbox API. The scope of the tool is restricted, and it does not grant Procore unrestricted or autonomous access to your organization's email server.

• Permission Scopes:

  • The add-in requires permissions such as Mail.Read specifically so that when a user manually chooses to file an email to Procore, the system has the technical authority to process that specific data.

  • The app functions via Delegated Permissions, meaning it can only access data that the currently logged-in user is already authorized to see.

• Data Security Context:

  • Procore does not "read" emails in the background for analytical purposes; it only interacts with the email data when the user initiates an action within the add-in.

  • For a detailed breakdown of every permission requested and the business justification for each, please refer to the Procore for Outlook Permissions Documentation.