docs / api-scopes
// API PERMISSIONS REFERENCE

API Scopes

IntegrityLayer requests the minimum necessary permissions. Every scope is listed here with a plain-English explanation of why it's needed. We follow the principle of least privilege — no access to calendars, contacts, files, or anything outside the mail intercept flow.

01 / MICROSOFT GRAPH API

Permissions are granted via Azure Enterprise App admin consent. These are Application permissions (not delegated), meaning they apply across all mailboxes in the tenant.

Scope
Type
Reason
Mail.ReadWrite
Application
Read message content for classification; move to quarantine folder via Graph API.
Mail.Send
Application
Release quarantined messages to recipient inbox after successful MFA verification.
MailboxSettings.Read
Application
Read user timezone and locale for accurate timestamp display in audit logs.
User.Read.All
Application
Resolve sender UPN from message metadata; map to MFA challenge recipient.
Subscription (webhook)
Application
Register Graph Change Notification webhooks on message creation events.
# Verify consent via Azure Portal
Azure Portal → Enterprise Apps → IntegrityLayer → API Permissions
All scopes should show: Granted for [your tenant] ✓
02 / GOOGLE GMAIL API

Permissions are granted via Google Workspace Marketplace domain-wide installation. IntegrityLayer uses a service account with domain-wide delegation.

Scope URI
Access
Reason
gmail.modify
Read + Write
Archive (quarantine) flagged messages; remove quarantine label on release.
gmail.send
Send
Re-deliver quarantined message to original recipient after MFA success.
pubsub.subscribe
Subscribe
Real-time push notifications for new message events via Google Cloud Pub/Sub.
admin.directory.user.readonly
Read
Resolve sender identity from email address for MFA challenge routing.
# Verify domain-wide delegation
admin.google.com → Security → Access and data control → API Controls
Domain-wide delegation → IntegrityLayer service account → Edit scopes
03 / SCOPES WE DON'T REQUEST
Calendars.Read / ReadWrite
Contacts.Read / ReadWrite
Files.Read / ReadWrite (OneDrive)
Sites.Read (SharePoint)
Tasks.Read / ReadWrite
User.ReadWrite.All
Directory.ReadWrite.All
gmail.readonly (unnecessary — .modify is used)
drive.readonly
admin.directory.domain
← Setup Guide Troubleshooting →