When deploying SendGuard365, Microsoft 365 administrators are asked to approve Microsoft Graph permissions during add-in deployment.
This article explains which permissions SendGuard365 uses, which plans require them, and how to remove unnecessary permissions for Lite and Pro deployments.
What Microsoft Graph Permissions Does SendGuard365 Use?
The standard SendGuard365 manifest includes the following delegated Microsoft Graph permissions:
Permission | Purpose |
openid | Allows users to sign in using Microsoft 365 Single Sign-On (SSO). |
profile | Provides access to basic profile information such as display name. |
User.Read | Reads the signed-in user profile for user identification and license validation. |
Calendars.Read | Reads meeting and calendar information for Premium DLP and compliance processing. |
Mail.Read | Reads email messages for Premium server-side compliance and DLP processing. |
Which Permissions Are Required for Each SendGuard365 Plan?
Permission | Lite | Pro | Premium |
openid | ✔ | ✔ | ✔ |
profile | ✔ | ✔ | ✔ |
User.Read | ✔ | ✔ | ✔ |
Calendars.Read | Not required | Not required | ✔ |
Mail.Read | Not required | Not required | ✔ |
Why Don’t Lite and Pro Plans Require Mail.Read or Calendars.Read?
Lite and Pro plans process emails locally on the user’s machine.
Because no server-side email or calendar processing is performed, these plans do not require:
These permissions are only required for Premium plan features that use server-side DLP and compliance processing.
Can I Remove Unnecessary Permissions for Lite or Pro Deployments?
Yes.
Lite and Pro customers can remove the unnecessary Premium permissions using one of the following methods:
Option 1 — Request a Custom Manifest
Before deployment, request a customized SendGuard365 manifest file from Standss Support with the following permissions removed:
This is the recommended approach for new deployments.
Option 2 — Revoke Permissions After Deployment
If the standard manifest has already been deployed, administrators can revoke the permissions manually in Microsoft Azure.
How Do I Revoke SendGuard365 Permissions in Azure?
Prerequisites
You must sign in as either:
- Global Administrator
- Privileged Role Administrator
Steps to Revoke Permissions
- Sign in to the Microsoft Azure Portal.
- Go to: Microsoft Entra ID → Enterprise Applications
- Search for and select: SendGuardM365
- Navigate to: Security → Permissions
- Locate these permissions:
- For each permission:
- Click the three-dot menu (⋯)
- Select Revoke permission
- Confirm the revocation.
- Test the SendGuard365 Outlook add-in to verify functionality.
What Happens If I Revoke Permissions?
Revoking permissions affects all users in the Microsoft 365 tenant where SendGuard365 is deployed.
Before making changes broadly:
- Test with representative users
- Confirm your organization is not using Premium compliance features
- Validate Outlook add-in functionality after the change
What Should I Do If SendGuard365 Stops Working After Revoking Permissions?
If functionality is affected:
- Verify the organization is using a Lite or Pro plan
- Confirm Premium DLP or compliance features are not required
- Re-grant the revoked permissions if Premium functionality is needed
Need Help?
If you need help with:
- Microsoft Graph permissions
- Deployment configuration
- Custom manifest files
Contact Standss Support for assistance.