ActorDo for Microsoft Tenants

ActorDo works with both free and paid Microsoft licenses.

Below is an explanation on how Actor integrates with Microsoft Graph APIs.

Actor uses delegated permissions only. This means:

  • Every action is performed as the signed-in user.
  • Actor cannot access mailboxes or calendars that the user cannot access themselves.
  • No application-level (“admin”) permissions are requested.
  • Organizations may need to pre-approve these delegated permissions through Microsoft Entra ID, but even then, Actor only operates within the permissions of the authenticated user.

This approach follows Microsoft’s least-privilege model while allowing Actor to provide AI-powered email, calendar, and task automation.

Permission Scopes requested

PermissionWhy Actor needs it
Calendars.ReadWriteAllows Actor to read calendars to understand availability, upcoming meetings, and scheduling context. It also enables creating, updating, or cancelling calendar events on the user’s behalf when requested (e.g. booking meetings or rescheduling appointments).
MailboxFolder.ReadWriteAllows Actor to create and manage folders within the mailbox. This is used for organizing email, creating Actor-specific folders if needed, and supporting advanced mailbox organization features. Actor never creates folders unless required by the user or a feature they enable.
MailboxSettings.ReadWriteAllows Actor to read and update mailbox settings such as automatic replies (Out of Office), time zone, working hours, language, and other mailbox preferences. This enables scheduling features and automation that respects the user’s mailbox configuration.
Mail.ReadWriteGives Actor access to read, categorize, move, archive, mark as read/unread, and draft emails. This permission powers AI email management, inbox organization, task extraction, follow-up reminders, email summarization, and automation workflows. Actor only performs these actions on behalf of the authenticated user.
Mail.SendAllows Actor to send emails that the user explicitly requests or that are sent through user-configured automations. Examples include replying to emails, sending drafted messages, or sending notifications generated by approved workflows.
Tasks.ReadWriteAllows Actor to read and manage Microsoft To Do tasks. Actor can create tasks from emails, update task status, organize task lists, and synchronize action items identified by AI.
User.ReadRequired for Microsoft sign-in. It allows Actor to identify the authenticated user and obtain basic profile information such as name, email address, and Microsoft account ID. This is the minimum permission required for Microsoft authentication.
openidStandard OpenID Connect scope that enables secure user authentication and identity verification during sign-in.
profileAllows Actor to access basic profile information (such as display name and preferred language) to personalize the user experience.
emailAllows Actor to access the user’s primary email address, which is used to identify the account and associate Microsoft authentication with the correct Actor account.
offline_accessAllows Actor to receive refresh tokens so the user stays signed in and approved automations can continue running without requiring the user to log in every few hours. The user can revoke this access at any time from their Microsoft account or within Actor.

For shared Mailboxes we also require Shared version for Mail and Calendar scopes