ActorDo works with both free and paid Microsoft licenses.
Below is an explanation on how Actor integrates with Microsoft Graph APIs.
Actor uses delegated permissions only. This means:
- Every action is performed as the signed-in user.
- Actor cannot access mailboxes or calendars that the user cannot access themselves.
- No application-level (“admin”) permissions are requested.
- Organizations may need to pre-approve these delegated permissions through Microsoft Entra ID, but even then, Actor only operates within the permissions of the authenticated user.
This approach follows Microsoft’s least-privilege model while allowing Actor to provide AI-powered email, calendar, and task automation.
Permission Scopes requested
| Permission | Why Actor needs it |
|---|---|
Calendars.ReadWrite | Allows Actor to read calendars to understand availability, upcoming meetings, and scheduling context. It also enables creating, updating, or cancelling calendar events on the user’s behalf when requested (e.g. booking meetings or rescheduling appointments). |
MailboxFolder.ReadWrite | Allows Actor to create and manage folders within the mailbox. This is used for organizing email, creating Actor-specific folders if needed, and supporting advanced mailbox organization features. Actor never creates folders unless required by the user or a feature they enable. |
MailboxSettings.ReadWrite | Allows Actor to read and update mailbox settings such as automatic replies (Out of Office), time zone, working hours, language, and other mailbox preferences. This enables scheduling features and automation that respects the user’s mailbox configuration. |
Mail.ReadWrite | Gives Actor access to read, categorize, move, archive, mark as read/unread, and draft emails. This permission powers AI email management, inbox organization, task extraction, follow-up reminders, email summarization, and automation workflows. Actor only performs these actions on behalf of the authenticated user. |
Mail.Send | Allows Actor to send emails that the user explicitly requests or that are sent through user-configured automations. Examples include replying to emails, sending drafted messages, or sending notifications generated by approved workflows. |
Tasks.ReadWrite | Allows Actor to read and manage Microsoft To Do tasks. Actor can create tasks from emails, update task status, organize task lists, and synchronize action items identified by AI. |
User.Read | Required for Microsoft sign-in. It allows Actor to identify the authenticated user and obtain basic profile information such as name, email address, and Microsoft account ID. This is the minimum permission required for Microsoft authentication. |
openid | Standard OpenID Connect scope that enables secure user authentication and identity verification during sign-in. |
profile | Allows Actor to access basic profile information (such as display name and preferred language) to personalize the user experience. |
email | Allows Actor to access the user’s primary email address, which is used to identify the account and associate Microsoft authentication with the correct Actor account. |
offline_access | Allows Actor to receive refresh tokens so the user stays signed in and approved automations can continue running without requiring the user to log in every few hours. The user can revoke this access at any time from their Microsoft account or within Actor. |
For shared Mailboxes we also require Shared version for Mail and Calendar scopes
