Microsoft O365 Integration Overview & FAQs

Join GoodTime CPO & Co-Founder Jasper Sone and CISO Hadas Cassorla as they walk through GoodTime’s secure integration with Microsoft O365.

Get answers to the most common security and integration questions, and understand how GoodTime protects your data while accelerating your hiring.

Frequently asked questions

What permissions does GoodTime request with Admin Consent, and why?

GoodTime requests a limited set of Microsoft Graph API permissions to support secure and effective interview scheduling:

Calendar Access

Calendars.Read – Allows GoodTime to check interviewer availability by scanning calendars
Calendars.ReadWrite – Enables GoodTime to create, update, and send interview calendar invites

Directory Access

User.Read.All – Pulls interviewer metadata (e.g., names and emails) to ensure accurate invites
MailboxSettings.Read – Reads time zone preferences (not mailbox content) for precise scheduling

Why does GoodTime require full calendar access instead of just free/busy or delegated access?

While some vendors rely on free/busy or delegated access, these methods often miss events — up to 60% in our internal tests — which leads to scheduling conflicts.

Full calendar access provides a complete and reliable view of availability, ensuring interviews are booked accurately and without overlap. Security is never compromised: access is governed by Microsoft-issued tokens, encrypted credentials, and strict least-privilege practices.

Why does GoodTime require full calendar access instead of just free/busy or delegated access?

Can we limit GoodTime’s access to specific calendars?

Yes. While it requires additional setup from your IT team, you can limit GoodTime’s access to specific users or groups using Microsoft Application Access Policies.

Your admins can allow-list only designated accounts, ensuring GoodTime interacts solely with those calendars — aligning with your organization’s least-privilege policies.

Can GoodTime users see more calendar data than they can in Outlook?

No. GoodTime uses delegated permissions when users sign in, meaning they only see the calendar data they already have access to in Outlook — nothing more.

How does GoodTime protect calendar data and prevent unauthorized access?

We designed GoodTime Calendar Service to keep your information private. Candidates only see open times, never names or meeting details. Your team only sees what they would see in Outlook—nothing more. This setup gives teams automation without exposing sensitive calendar data.

Calendar data is only accessed at the moment it’s needed. It isn’t stored, only used to fulfill scheduling requests. So the next question we get is: how does GoodTime protect calendar data?

Our system has two parts: the user-facing app that your team interacts with, and a secure backend Calendar Service—where the magic happens. Only the Calendar Service can access full calendar information like titles, description, attendees. It’s kept securely isolated from the internet. Access is further restricted by your company’s Microsoft settings (Microsoft Application Access Policy) which control exactly which calendars the system can reach. And, if there’s a request that doesn’t have the right access the Calendar Service does not respond to it.

Let’s focus on the backend Calendar Service for a moment. The service only processes requests when all three of the following are present:

The user is verified through a Microsoft issued authentication token
A valid admin consent credential provided by you (securely encrypted using AES-256, the standard used in enterprise and government systems)
A valid request payload (which follows a pre-approved format in our system).

If any of those are missing or incorrect, the request fails. This ensures that even if the internet-facing GoodTime App were compromised, calendar data would still be out of reach.

It’s like a dual-lock system. It leverages the security you already rely on through Microsoft. Even if someone broke into GoodTime, they’d need to compromise Microsoft to get a valid user token. Since Microsoft authentication sits at the center of your trusted identity infrastructure, every request must still pass through it—adding a strong layer of protection. That also means someone would have to breach Microsoft to access this data.

GoodTime’s backend Calendar Service has the access it needs to scan calendars (such as title, descriptions, and attendee information), but visibility is governed by strict security and access controls. Candidates only see available time slots. Users of GoodTime see exactly what they see in Outlook. That’s it.

Appendix: Deeper Security FAQs

What is the impact if GoodTime were compromised?

Sensitive calendar actions require both a valid user-level Microsoft OAuth token and an encrypted admin credential. Even with one token, requests fail unless all security checks pass. Admin credentials are encrypted using AES-256 and scoped only to the necessary calendar and directory APIs.

To help assess overall risk exposure, consider three scenarios:

If Microsoft’s Authentication system were compromised: An attacker could act as the user across all Microsoft services—not just GoodTime. They could access emails, files, and broader resources. Within GoodTime, they could only take actions that the compromised user could perform, such as requesting interviews or seeing calendar details already visible in Outlook. In this case, the greater risk lies within Microsoft, not GoodTime.
If GoodTime were compromised: An attacker could access previously scheduled interview data but would not be able to retrieve calendar information or make new scheduling requests without a valid Microsoft-issued token and admin credential.
If both systems were compromised: The attacker could create, edit, or cancel interviews and potentially view calendar information scoped to the compromised user’s permissions

Can customers audit what GoodTime accesses?

Yes. Every calendar access request through GoodTime is logged internally with metadata such as the requesting user ID and timestamp. Logs are not exposed in the product interface but can be made available upon request.

What happens when a user leaves the organization?

Microsoft’s OAuth tokens become invalid as soon as a user is removed from the Microsoft tenant. Immediately, login to GoodTime and scheduling capabilities are revoked. Within 24 hours, the user is automatically archived in the GoodTime system. GoodTime does not cache or retain availability—data is pulled in real-time only.

Are you using Just-in-Time API calls or caching or saving calendar data?

We don’t store your calendar data and always pull live at the time of the request with just-in-time API requests. A user’s calendar event data is queried just-in-time to fulfill scheduling. Only calendar invites created by GoodTime are stored. No personal event data (titles, attendees, or notes) is retained from searches.

How does GoodTime create calendar invites?

Interview calendar invites are created using Microsoft’s Graph API with the user set as the organizer. This mirrors how a user would send a calendar invite manually from their Outlook account. GoodTime does not require the creation of service accounts to create calendar events.

Want to dive deeper?

Get an in-depth look at our Office 365 integration on our customer help center.