Table of contents
Connecting Microsoft 365
WorkSights connects to Microsoft 365 through Microsoft's OAuth consent process. The connection is configured once at the tenant level by an administrator. After consent is granted, WorkSights imports users and begins processing activity metadata from Outlook, Teams, SharePoint, and OneDrive. No passwords, message content, or file content ever pass through WorkSights.
For the signup steps, see Sign Up with Microsoft 365.
Permissions Granted During Admin Consent
When a tenant administrator grants consent, WorkSights receives a set of read-only permissions. These allow WorkSights to receive:
Directory metadata: Used to import and sync users from your Microsoft 365 tenant.
Calendar event metadata: Used to process Outlook Calendar activity.
Email metadata: Used to process outbound Outlook email events. Message content is never received.
SharePoint and OneDrive activity metadata: Used to process file interaction events. File content is never received.
Teams activity metadata: Used to process call and chat participation events.
Audit log signals: Used to receive login events, Teams chat events, and additional Exchange and file metadata.
WorkSights never ingests message content, file content, attachments, or anything beyond metadata provided through Microsoft's APIs and audit pipelines.
Tenant Connection Rules
WorkSights connects to one Microsoft 365 tenant per WorkSights account. The connection is established during signup and applies to all users in that tenant. If your organization uses multiple tenants, contact support to discuss your configuration.
User Import and Identity Matching
After the tenant is connected, WorkSights automatically imports all users from your Microsoft 365 directory. New users added to the directory are imported automatically. WorkSights matches users by email address. If your organization uses aliases or shared mailboxes, these can be excluded inside WorkSights at any time.
Historical Data Import
WorkSights imports a window of recent activity during the initial connection so new organizations see value from day one.
Initial import (default): WorkSights ingests approximately the last 8 days of Microsoft 365 activity during the first connection.
Extended import (available on expanded plans): Depending on your organization's configuration, WorkSights supports importing up to 30 days of historical Microsoft 365 activity to provide broader context during onboarding and reporting.
Audit Log Dependency
Some Microsoft 365 signals require the Unified Audit Log to be active for your tenant. Without it, Teams chat, OneDrive and SharePoint file activity, and login events will not appear in WorkSights. Outlook email and calendar activity are available regardless.
See Microsoft 365 Audit Log Activation for steps to verify and enable audit logging.
Revoking Access
WorkSights relies entirely on Microsoft's OAuth framework. All permissions are read-only. WorkSights cannot modify or delete anything inside your Microsoft 365 tenant. Access can be revoked at any time in the Microsoft 365 Admin Center under Enterprise Applications.
Troubleshooting
If the Microsoft 365 connection is not working as expected:
- Confirm admin consent was granted by a Microsoft 365 Global Admin. Partial consent blocks some or all activity.
- Check that the tenant appears as connected in Settings under Connected Services.
- If users are missing from WorkSights, verify they exist in the Microsoft 365 directory and that the directory sync has completed.
- If Teams chat, OneDrive, SharePoint, or login activity is missing, confirm audit logging is active. See Microsoft 365 Audit Log Activation.
- For persistent issues, contact support via the in-app chat.