Workable integrates with your Microsoft 365 account to streamline candidate communication and scheduling. This article details the specific permissions Workable requests, why they are needed, and how your data is securely handled.
To explore the permissions and scopes outlined in this article in greater detail, refer to the following official Microsoft resources:
Email integration
When you connect your Outlook account to Workable, you unlock:
- Sending emails to candidates using your corporate address
- Receiving candidate replies directly in your Outlook inbox
- Syncing read/unread/archive status between Outlook and Workable
Workable will only access Outlook Mail in the following circumstances:
- When a user of your Workable account imports messages with a candidate from their Outlook inbox, Workable will access the individual’s mailbox.
- When a user of your Workable account emails a candidate from Workable, the email will be copied to the individual’s mailbox (under the Sent folder).
Email permissions requested
| Scope | Granted permission | Used by Workable for | What Workable can do | Microsoft Graph API endpoints used |
| Mail.Send | Send mail as a signed-in user | Send candidate emails directly from your Outlook identity via Workable | Send emails to candidates from your corporate account- Ensure replies go to your Outlook inbox | /sendMail |
| Mail.ReadWrite | Read and write access to your mailbox | Synchronize email threads and statuses with the Workable Inbox | Read candidate-related email threads- Sync read/unread/archive states across platforms | /messages |
Important: Workable only accesses emails associated with candidate communication in your Workable account. Emails are filtered using message headers to ensure this.
Your private or unrelated mail is never accessed or stored.
Calendar integration
With calendar integration, you can:
- Schedule interviews directly from candidate profiles
- View team member availability in Workable
- Enable candidates to self-schedule interviews based on your availability
Calendar permissions requested
| Scope | Granted permission | Used by Workable for | What Workable can do | Microsoft Graph API endpoints used |
| Calendars.ReadWrite | Create, read, update, and delete events in all calendars | Manage interviews and meeting events within Workable | Create, update, and delete calendar events for interviews and calls | /events/events/{id} |
| (via) calendar-getschedule (API) | View free/busy information of users | Show user and team availability for scheduling and self-scheduling | Retrieve free/busy status- Display availability for team members and candidates | /calendar/getSchedule |
| Contacts.Read | Read access to user contacts | Search for internal stakeholders to invite to events | Search and suggest internal users as attendees | /contacts |
| User.ReadBasic.All | Read basic profile info of users in your organization | Search for rooms and coworkers available for interview scheduling | Discover rooms- Identify attendees based on availability | /findRooms |
Note on availability checks: Workable uses the Calendar.GetSchedule API to access your availability. This lets Workable:
- Display free/busy time slots
- Allow candidates to self-book interview times
This does not expose your event content - only availability data is retrieved.
Security & authorization details
Workable follows industry-standard security practices and integrates with Microsoft 365 through the Microsoft Graph API, using OAuth 2.0.
Key security principles
- Workable acts on behalf of the user and never with admin or elevated privileges.
- Users authorize access during setup; no data is accessed without permission.
- Only the essential scopes required for email and calendar functionality are requested.
- Workable only monitors mailboxes connected to a Workable account to enable email syncing. Workable will not keep or scan Outlook Mail from unconnected accounts. Outlook messages to and from individuals remain in Workable for as long as the individual’s account remains active.
- Access is granted through temporary OAuth tokens that automatically expire and refresh securely. Workable will not store your Microsoft 365 credentials.
- You can disconnect your Microsoft 365 account from your Workable account or Microsoft account settings at any time.
- Individual users can delete their own Outlook messages inside Workable. To do this, hover over the message in Workable and click the trash can icon.
For IT & security teams
- Workable is a verified Microsoft Partner and registered Azure Application.
- The integration is compliant with Microsoft security and privacy guidelines.
- All API access is scoped to only what is explicitly granted by the end user.
- Access is always user-delegated and can be revoked or limited through Microsoft 365 admin tools.
- There is no DNS configuration involved.
If you'd like to pre-consent these scopes for all users, your IT team can do so via the Azure Portal.
Revoking access
You can disconnect your Microsoft 365 account from Workable at any time by:
- Navigating to your Settings in Workable.
- Selecting Your profile.
- Disconnecting Microsoft 365.
Alternatively, you can revoke access via your Microsoft account's app permissions page.