Security & Permissions Page
Built for security teams. Here is exactly what AccessPulse can and cannot do in your Microsoft 365 tenant.
Read-only. Always. AccessPulse connects via the Microsoft Graph API with read-only permissions. It cannot create, modify, or delete anything in your tenant. It cannot read emails, open files, or change any settings. If it helps, think of it like a read-only query against your directory - nothing more.
Exact permissions requested:
| Permission | What it reads | What it cannot do |
|---|---|---|
| User.Read.All | Names, job titles, departments | Emails, files, calendar, personal content |
| Directory.Read.All | Group memberships, org structure | Modify any directory settings |
| RoleManagement.Read.Directory | Admin role assignments | Change or assign roles |
| AuditLog.Read.All | Sign-in dates, last login | Email content or file activity |
| UserAuthenticationMethod.Read.All | MFA registration status | Access or change credentials |
| Reports.Read.All | Licence usage data | Individual user activity |
What gets stored and where
- OAuth tokens are encrypted with AES-256-GCM and stored in Supabase in the EU
- User data stored: display names, emails, job titles, MFA status, last sign-in dates
- User data NOT stored: emails, files, calendar, passwords, personal communications
- Snapshots are kept for 12 months then deleted
- Only your organisation can see your data - enforced at database level with Row Level Security
Verify this yourself
After connecting, your Windows admin can check every permission granted:
- Go to portal.azure.com - Microsoft Entra ID - Enterprise Applications
- Search for AccessPulse
- Click Permissions
You can revoke access from there at any time. No need to contact us.
Infrastructure
- Database: Supabase (PostgreSQL) - EU region - SOC2 compliant
- Hosting: Vercel - SOC2 compliant
- Encryption: AES-256-GCM for all stored tokens
- Auth: Microsoft OAuth 2.0 - AccessPulse never sees or stores your password