Sortfully
Private beta Join the waitlist
How it works Privacy Filing modes For teams Pricing Blog Join the waitlist
Privacy

Is it safe to give an app access to your Outlook mailbox?

By Sortfully · 6 min read

Connecting a third-party app to your Outlook mailbox can save hours of manual work, but it also means handing another service a key to your email. The good news: Microsoft 365 gives you precise control over what an app can and cannot do, and a well-built app asks for far less than you might fear. This guide explains what to check before you authorise any app, then shows how those checks should be answered in practice.

Why mailbox access deserves a second look

Email is one of the most sensitive systems you own. It holds conversations, invoices, password resets and contracts, and it can often reset access to other accounts. So when an app asks to connect, the right question is not just "is this app trustworthy?" but "what is it actually allowed to touch, and can I take that access back whenever I want?"

Microsoft's permission model answers both — but the answers are only meaningful if you know what to look for.

What to check before you connect any app

Run through this checklist before you click Accept on any consent screen:

  • Least-privilege scopes. Does the app request only the permissions it needs, or sweeping access "just in case"? Fewer, narrower scopes signal more careful design.
  • Delegated vs application permissions. Delegated permissions act on behalf of a single signed-in user, limited to that user's mailbox. Application permissions can grant access across an entire tenant without a specific user present. For a personal tool, delegated, per-mailbox access is what you want.
  • Whether it reads message content. There is a large difference between an app that reads bodies and attachments and one that reads only routing metadata (sender, folder, timestamp). Ask which, and look for a technical guarantee rather than a marketing promise.
  • Token storage and encryption. The app stores a refresh token to keep working in the background. Is it encrypted at rest, kept out of logs, and rotated on Microsoft's schedule?
  • Data retention and residency. What does the app keep, for how long, where is it hosted, and what happens when you cancel?
  • A clear way to revoke access. You should be able to cut the app off from your own Microsoft account settings at any time, without contacting the vendor.
  • GDPR and UK-GDPR posture. Look for genuine data export and deletion, and a clear data processing agreement (DPA) if you use the app for work.

If an app cannot give straight answers to these, that is itself an answer.

Delegated, per-mailbox access in plain terms

The single most important distinction is delegated versus application permissions. With delegated access, you sign in, you consent, and the app can only ever act as you, on your mailbox. Nothing is granted tenant-wide, and an administrator does not have to open the door for everyone at once.

Sortfully uses this model deliberately. It connects to Outlook and Microsoft 365 — work, school, and personal Outlook.com — through Microsoft Graph using delegated, per-mailbox access. Each user consents only for their own mailbox; there are no tenant-wide application permissions. Where an organisation prefers central control, an administrator can consent on behalf of users and scope access further, but the access itself stays mailbox-scoped.

When you authorise an app, Microsoft shows you the exact permissions requested. Pause to read them. A least-privilege filing tool needs to move messages and stay aware of your existing rules, but it does not need to send mail as you or read every attachment.

Here is the full set Sortfully requests, and why:

  • Mail.ReadWrite (plus Mail.ReadWrite.Shared for shared mailboxes) to read message metadata and move messages between folders.
  • MailboxSettings.ReadWrite so it can coexist cleanly with your existing inbox rules rather than fighting them.
  • offline_access so filing continues in the background without you signing in repeatedly.
  • openid, profile and email simply to identify the account you signed in with.

Notice what is absent: no permission to send mail, and nothing that implies content scanning beyond what is needed to move a message.

"Content-blind" should mean exactly that

Plenty of apps promise they "won't read your emails." The stronger position is one where reading content is structurally impossible, not merely discouraged.

Sortfully is content-blind by design: it never reads message bodies or attachments. That is enforced two ways — a hard-coded metadata allow-list that defines the only fields the code may touch, and a continuous-integration build gate that fails the build if any code tries to access content. The guarantee is checked by machinery on every change, not left to a policy document. See the detail on the content-blind by design page.

What it does read is limited to routing metadata: sender address and domain, folder, received time, read/unread status, categories and message IDs. The sender address is read transiently only to derive its domain. There is no AI anywhere in the product, and your mail is never sent to any third-party AI service.

For people who want a record of what was filed, there is a detailed activity log (on by default — switchable off during setup, before you connect your mailbox) that additionally stores the subject line and sender address to your own log. Even then, bodies and attachments are never read.

Tokens, audit trails and what happens when you leave

Strong scope hygiene is only half the picture; the app must also look after the credential it holds. Sortfully encrypts refresh tokens at rest, never writes them to logs, and lets Microsoft rotate them on its normal schedule. Accounts are protected with 2FA — by email or trusted device for password sign-ins, or by Sign in with Microsoft so your own identity provider enforces MFA.

You can review activity through an exportable CSV audit log, and the service is built for GDPR and UK-GDPR with proper data export, deletion and a clear DPA. Messages are moved, never deleted when filing runs. The full picture is on the security & compliance page.

If you ever decide to leave, cancelling tears down every subscription and token, with a 30-day data-recovery grace period in case you change your mind.

How to revoke an app's access in Microsoft settings

You never have to depend on a vendor to cut off access — you control it from your own Microsoft account:

  • For personal accounts, sign in to your Microsoft account, open Privacy or Security, and find Apps and services that can access your data. Select the app and choose Remove.
  • For work or school accounts, go to myaccount.microsoft.com, open My sign-ins or Privacy, and review the apps you have granted access to. Remove the one you no longer want. Your administrator can also revoke consent centrally from the Microsoft Entra admin centre.

Revoking access immediately stops the app from acting on your mailbox. With Sortfully, removing access from your Microsoft account stops all filing straight away.

Bringing it together

Giving an app access to your Outlook mailbox is safe when the access is narrow, the content stays private, the credentials are protected, and you can revoke everything yourself in a few clicks. Use the checklist above on any service, and insist on technical guarantees rather than promises.

To see what good looks like in practice, you can organise your Outlook inbox by sender with a tool built around least privilege and content-blind filing. Sortfully is in a private, invite-only beta — join the waitlist and we'll email you when it opens.

Private beta

Stop filing email by hand.

Sortfully files your Outlook mail by the organisation that sent it — privately, and only once you've read it. It's in a private, invite-only beta — join the waitlist and we'll email you when it opens.

Join the waitlist