How Exactly Do Office 365 Apps Authenticate?
We use OAuth with MS Graph to get an access token with the subset of your permissions that you grant us during that login process (listed during the login process and also here).
We never store (or even have access to) your username/password; and the access token your login grants us does not have all permissions from the account you use.
OAuth is an open standard for granting applications the ability to access certain functions on behalf of the user, but without giving thee application the user's login credentials. It is widely used, including by companies such as Amazon, Google, Facebook, Microsoft, and Twitter.
The OAuth process with Microsoft works as follows (summarized, flow above from MS):
- We register our app with Microsoft to be able to use their OAuth endpoint
- We redirect your login to Microsoft's OAuth endpoint
- You authenticate to Microsoft and consent to the permissions listed
- Microsoft sends us an encrypted access token granting us only the ability to use Microsoft APIs on your behalf only if you have granted us the required permissions
- We use that access token to pull, analyze, and display your Microsoft security data across all tenants
This means that
- You authenticate with a Microsoft endpoint independent of your login with our servers. We do not have access to your credentials
- The access token we get does NOT have full admin rights. It has only the rights you grant us
For even more details see the Microsoft OAuth code flow