For IT adminsMicrosoft 365 integration

What InsightHire's Microsoft 365 integration does — and what it doesn't

A one-time tenant-wide approval lets the recruiters at your company schedule interview calendar invites that land on their own Outlook with a real Teams meeting attached. Nothing more. This page is for the IT security team reviewing the consent request — what we ask for, what we don't, and why.

Microsoft-verified publisher

Our Entra app registration is linked to a Microsoft Partner Network ID (7109261) with the insighthire.com domain verified. Your users see a blue checkmark next to the InsightHire name on the consent screen.

Per-user, delegated

Every token is bound to the signed-in recruiter. We can't act without a specific user's session, can't read anyone else's mailbox, and can't mint app-only credentials.

Tokens encrypted at rest

Access and refresh tokens are AES-256-GCM encrypted in our database with a key held in your dedicated InsightHire environment. Revoke any time from Entra → Enterprise applications → InsightHire.

The three permissions we request

Same three you'll see on the Microsoft consent screen. Spelled out in plain English.

Sign in and read user profile

User.Read

Microsoft signs the user in and tells us their name, email, and time zone. That's it — no directory data, no access to other users, no group or device info.

Read and write the signed-in user's own calendar

Calendars.ReadWrite

Lets InsightHire create interview events on the recruiter's own Outlook calendar and update them when interviews are rescheduled. Scoped to the signed-in user's mailbox — we can't see anyone else's calendar.

Maintain access via refresh tokens

offline_access

Standard OAuth permission. Lets us refresh the user's access token in the background so recruiters don't have to re-sign-in every hour. Revocable any time from Entra → Enterprise applications.

What this integration deliberately does NOT do

  • Read or send mail on the user's behalf
  • Access any other user's calendar, mailbox, or files
  • Read directory data, group membership, or device info
  • Use any app-only / service-principal credentials
  • Create Teams meetings via the standalone OnlineMeetings API (the admin-consent-required one) — Teams meetings ride on the calendar event itself

Why your one-time approval is needed

Microsoft's default tenant consent policy (since Nov 2020) is "Allow user consent for apps from verified publishers, for low-impact permissions." The Calendars.ReadWrite scope isn't in Microsoft's default low-impact list, so a regular user can't self-consent — even though InsightHire is a verified publisher and the scope is per-user delegated.

That's why the consent request goes to a Global Administrator (or a Cloud Application / Application Administrator). One click on Accept records tenant-wide consent for the InsightHire app. Every recruiter at your company can then connect without seeing the "Approval required" screen ever again.

How to revoke access

  1. Sign into entra.microsoft.com
  2. Identity → Applications → Enterprise applications
  3. Find InsightHire in the list
  4. Delete the application (revokes tenant-wide consent), or use Properties → Enabled for users to sign in: No to keep the record but block future use.

Existing per-user tokens are dropped server-side within ~1 hour of revocation. No data we've already stored (interview events the recruiter created) is removed from your Outlook by revocation; that lives on each user's mailbox.

App identity (for cross-reference)

Application name: InsightHire
Publisher: INSIGHTHIRE LLC (MPN 7109261, verified)
Application (client) ID: 148932cc-0eaf-42eb-8b63-a52cdb4d0ebc
Redirect URI: https://api.insighthire.com/api/auth/microsoft/callback

Questions before clicking Accept? Email support@insighthire.com or reply to the request from whichever recruiter at your org sent you here.