> ## Documentation Index
> Fetch the complete documentation index at: https://help.scribe-mail.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Entra ID

> Learn what data Scribe collects when syncing your Microsoft Entra ID, including the OAuth scopes requested and the specific fields stored.

When you connect your Microsoft Entra ID to Scribe, we sync your team's information so you can manage email signatures across your organization. This page explains exactly which permissions we request and what data we store.

## OAuth Scopes

Scribe requests the following scopes when syncing your Microsoft Entra ID:

<Steps>
  <Step title="Allow teammates to log in with their Office 365 account">
    `openid` (Delegated), `profile` (Delegated), `email` (Delegated)

    These scopes give Scribe read access to a user's basic profile, including their name and email address, so your teammates can sign in to Scribe with their Office 365 account.
  </Step>

  <Step title="Read administrative units">
    `AdministrativeUnit.Read.All` (Application)

    This scope allows Scribe to read administrative units in your directory so we can create matching departments in Scribe.
  </Step>

  <Step title="Read domains">
    `Domain.Read.All` (Application)

    This scope allows Scribe to read the domain names associated with your Microsoft 365 account so we can import them into Scribe.
  </Step>

  <Step title="Sign in and read user profile">
    `User.Read` (Delegated)

    This scope allows the signed in user to read their own profile.
  </Step>

  <Step title="Read all users' full profiles">
    `User.Read.All` (Application)

    This scope allows Scribe to read the full profile of every user in your directory.
  </Step>

  <Step title="Read all group memberships">
    `GroupMember.Read.All` (Application)

    This scope allows Scribe to read which users belong to which groups.
  </Step>

  <Step title="Read all groups">
    `Group.Read.All` (Application)

    This scope allows Scribe to read the groups you have created in your directory.
  </Step>

  <Step title="Maintain access to data you have given access to">
    `offline_access` (Delegated)

    This scope allows Scribe to maintain access to the data you have authorized without requiring you to sign in again each time.
  </Step>
</Steps>

All scopes listed above use the Microsoft Graph API (`https://graph.microsoft.com/`). You can find detailed information about Microsoft Graph permissions in the [Microsoft Graph permissions reference](https://learn.microsoft.com/en-us/graph/permissions-reference).

## Data Stored in Scribe

From the scopes listed above, Scribe collects and stores the following fields:

**User profile data:** profile picture, first name, last name, and job position.

**Phone numbers:** mobile phone, work phone, and fax.

**Work details:** department and office.

**Address:** street address, city, state or province, zip or postal code, and country or region.

**Groups:** group names and memberships.

**Administrative units:** administrative unit names and memberships.

**Domains:** domain hostnames.

<Info>
  Scribe has **read only** access to your directory data. We cannot edit anything in your Microsoft 365 or read your emails. Scribe is [SOC 2 Type II compliant](/en/what-scribe-does-concerning-security).
</Info>
