Skip to main content

Microsoft Graph permissions Tekst requests

Tekst Support

0 comments

To connect Outlook, Tekst requests a small set of Microsoft Graph permissions. These permissions are available by default in Microsoft 365, but many organizations restrict them as they tighten their security policies. If yours does, an administrator needs to grant them in Azure Active Directory (AAD) before the connection will work.

The exact permissions depend on which account type you connect. See the "Outlook integration: personal vs organization-wide accounts" article if you are not sure which one applies to you.

Personal accounts (delegated permissions)

A personal account signs in as an individual user, so Tekst requests delegated permissions - access on behalf of that signed-in user:

  • user.read - verify the connected user and mailbox.
  • mailboxsettings.read - read and apply Outlook categories.
  • mail.readwrite - read incoming emails (the read part) and add category labels or move emails into folders (the write part).
  • mail.send - forward emails, when an automation is configured to do so.

To also connect shared mailboxes that the user can access, Tekst additionally requests:

  • mail.readwrite.shared - read and process emails in a shared mailbox, and apply labels or move them into folders.
  • mail.send.shared - forward emails from a shared mailbox, when configured.

Tekst will never delete emails.

Minimal permissions

During setup, a personal account can enable "Ask for minimal permissions". This requests only the smallest set of permissions needed to read and process emails. Choose this if your security policy requires the narrowest possible access; note that some features (such as applying categories) rely on the broader set.

Organization-wide accounts (application permissions)

An organization-wide account does not sign in as a user. Instead, a Microsoft 365 administrator grants Tekst application permissions once, and Tekst uses application-level access to reach mailboxes across the tenant. There are no .shared permissions in this model - application access already spans the mailboxes the policy allows.

Because this access can reach every mailbox in the tenant by default, we strongly recommend scoping it to only the mailboxes Tekst should process. See Restrict Tekst to specific mailboxes.

Granting these permissions in Azure

If your organization has restricted the permissions above, an administrator can grant them on the Tekst enterprise application in Azure. See Configure Outlook access in Azure.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Related articles

0 comments

Please sign in to leave a comment.