TemplateManager365 Permissions

What permissions do you need to use TemplateManager365?

When you select a template store (personal or team) in TemplateManager365 you will be asked to give the plugin certain Microsoft 365 permissions in order to save and load templates. On this page we will go through each permission and why it is needed.

General information about template stores

It’s important to note that TemplateManager365 works completely on your computer. The permissions you grant to TemplateManager365 are only used on your computer and never transferred to any server for processing.

The only server we operate for TemplateManager365 if to check if you have purchased a commercial license. See our firewall section if you want to enforce this.

Your data and your Microsoft 365 security tokens are never transferred to our servers

In order to operate either version, TemplateManager365 requires a security token to access Microsoft 365 on your behalf. This token gives the add-in permission read and write templates into your mailbox or your Microsoft 365 group (OneDrive to be specific). Microsoft will give you different warnings when granting the permissions that the app can send this data to the internet. Because add-ins are software programs running inside Outlook, this is theoretically true. There is no way to limit the transfer of any data the add-in processes just to the local client as we also need to communicate with Microsoft Graph (the programming interface used to achieve what the add-ins functionality). But this is not unusual for our add-in, this is the case for all add-ins that interact with Microsoft 365.

But TemplateManager365 was built to run only inside Outlook, there is no server on our side involved in processing your templates and so the token or any of your data is never sent anywhere except Microsoft’s own server. You can read more in our privacy-policy.

Microsoft 365 permissions for Personal Edition

Permissions dialog for Mailbox Store

If you choose to store the templates in your personal mailbox (personal edition) the following permissions are required:

  • Sign you in and read your profile: This is the general permission to allow you to sign into Microsoft 365.
  • Read and write access to your mail: The personal store is a hidden folder in your Microsoft 365 mailbox therefore the plugin needs to be able to write and read email messages and subfolders of that folder. No other email folders are read or modified.
  • Maintain access to data you have given it access to: Microsoft permissions are seperated into access and refresh tokens. The access token is the first token you get and requires you to login. The refresh token then lets the plugin tell Microsoft it is still working on your behalf (i.e. preparing or sending a mail merge) and get a refresh token to give the plugin continued access. This permission lets us get a refresh token without asking you every couple of minutes while you are sending a mail merge campaign. Despite what the permission indicates the token is never transferred outside of your Outlook instance and therefore as soon as you close the plugin or Outlook you will be asked to login again and no operations can occur when the plugin is not loaded.

If any of this is not clear enough, please contact us at [email protected] and we will do our best to improve this documentation.

Microsoft 365 permissions for Team Edition

Permissions dialog for Groups Store

Add files from your hard disk If you choose to store the templates in a Microsoft 365 group’s drive (team edition) the following permissions are required:

  • Sign you in and read your profile: This is the general permission to allow you to sign into Microsoft 365.
  • Read all groups: In order to list the groups you are a member of, the plugin needs to be able to read these.
  • Full access to your files: The team edition stores templates in the drive of the Microsoft 365 group (also known as the “SharePoint Document Library” or “OneDrive for Business Drive”). Therefore the plugin needs to be able to read and write files in those drives. The plugin will always create a new root folder called TemplateManager365 to store the templates and only ever read or write files in that folder.
  • Maintain access to data you have given it access to: Microsoft permissions are seperated into access and refresh tokens. The access token is the first token you get and requires you to login. The refresh token then lets the plugin tell Microsoft it is still working on your behalf (i.e. preparing or sending a mail merge) and get a refresh token to give the plugin continued access. This permission lets us get a refresh token without asking you every couple of minutes while you are sending a mail merge campaign. Despite what the permission indicates the token is never transferred outside of your Outlook instance and therefore as soon as you close the plugin or Outlook you will be asked to login again and no operations can occur when the plugin is not loaded.

If any of this is not clear enough, please contact us at [email protected] and we will do our best to improve this documentation.

Required firewall permissions

Microsoft 365 plugins are essentially single page web application which are loaded from our webserver at https://www.templatemanager365.com. Only HTTP GET permissions are required to fetch the plugin.

The plugin will communicate via HTTP GET and POST to Microsoft’s Graph API to store and retrieve templates. The plugin will never communicate with any other server.

Note: our infrastructure is hosted in the Microsoft’s European Azure datacenters.

Table of contents