TemplateManager365 Help
Permissions required to run TemplateManager365
When you select a template store (personal or team) in TemplateManager365 you will be asked to give the plugin certain Microsoft 365 permissions in order to save and load templates. On this page we will go through each permission and why it is needed.
General information about template stores
It's important to note that TemplateManager365 works completely on your computer. The permissions you grant to TemplateManager365 are only used on your computer and never transferred to any server for processing.
The only server we operate for TemplateManager365 if to check if you have purchased a commercial license. See our firewall section if you want to enforce this.
Microsoft 365 permissions for Personal Edition
If you choose to store the templates in your personal mailbox (personal edition) the following permissions are required:
- Sign you in and read your profile: This is the general permission to allow you to sign into Microsoft 365.
- Read and write access to your mail: The personal store is a hidden folder in your Microsoft 365 mailbox therefore the plugin needs to be able to write and read email messages and subfolders of that folder. No other email folders are read or modified.
- Maintain access to data you have given it access to: Microsoft permissions are seperated into access and refresh tokens. The access token is the first token you get and requires you to login. The refresh token then lets the plugin tell Microsoft it is still working on your behalf (i.e. preparing or sending a mail merge) and get a refresh token to give the plugin continued access. This permission lets us get a refresh token without asking you every couple of minutes while you are sending a mail merge campaign. Despite what the permission indicates the token is never transferred outside of your Outlook instance and therefore as soon as you close the plugin or Outlook you will be asked to login again and no operations can occur when the plugin is not loaded.
If any of this is not clear enough, please contact us at [email protected] and we will do our best to improve this documentation.
Microsoft 365 permissions for Team Edition
If you choose to store the templates in a Microsoft 365 group's drive (team edition) the following permissions are required:
- Sign you in and read your profile: This is the general permission to allow you to sign into Microsoft 365.
- Read all groups: In order to list the groups you are a member of, the plugin needs to be able to read these.
- Full access to your files: The team edition stores templates in the drive of the Microsoft 365 group (also known as the "SharePoint Document Library" or "OneDrive for Business Drive"). Therefore the plugin needs to be able to read and write files in those drives. The plugin will always create a new root folder called TemplateManager365 to store the templates and only ever read or write files in that folder.
- Maintain access to data you have given it access to: Microsoft permissions are seperated into access and refresh tokens. The access token is the first token you get and requires you to login. The refresh token then lets the plugin tell Microsoft it is still working on your behalf (i.e. preparing or sending a mail merge) and get a refresh token to give the plugin continued access. This permission lets us get a refresh token without asking you every couple of minutes while you are sending a mail merge campaign. Despite what the permission indicates the token is never transferred outside of your Outlook instance and therefore as soon as you close the plugin or Outlook you will be asked to login again and no operations can occur when the plugin is not loaded.
If any of this is not clear enough, please contact us at [email protected] and we will do our best to improve this documentation.
Required firewall permissions
Microsoft 365 plugins are essentially single page web application which are loaded from our webserver at https://www.templatemanager365.com. Only HTTP GET permissions are required to fetch the plugin with one exception:
The plugin will verify if the user has a valid license by calling an API endpoint with HTTP POST request at https://www.templatemanager365.com/api/license.
Therefore the plugin requires only HTTP GET and POST permissions on port 443 (HTTPS TLS) to our server cluster at www.templatemanager365.com.
Note: our infrastructure is hosted in the Microsoft's European Azure datacenters.
Data transfer to our server (i.e. your email address)
The plugin will check for a license only when you choose the team edition on the start screen.
The primary email address of the mailbox you are logged-in as will be sent. The email is matched against a list of valid licenses on our licensing server. If there is no match the email does not get stored.
- For users of the personal edition the email address is never transmitted or stored.
- For users of the team edition license the email is stored for the duration of your license.