Security & Identity - What IT Teams Need to Know
Looply is designed with enterprise-grade security, privacy, and identity management as foundational principles. This page explains how Looply handles authentication, authorization, data access, and secure integrations — specifically for IT and security professionals.
Azure Tenant Connection
Looply uses Microsoft Graph APIs to perform the following actions with organizational consent:
Deploy the Looply Teams app across your tenant
Perform directory lookups to resolve users and identities
Monitor and manage app installations
Required Graph API Permissions
The following permissions are requested during Azure tenant connection:
openid
, offline_access
Authentication and session token management
User.Read
, User.ReadBasic.All
Retrieve Teams user profiles
Team.ReadBasic.All
, TeamMember.Read.All
Access Teams structure and membership
AppCatalog.ReadWrite.All
, AppCatalog.Submit
Deploy Looply app to your Teams environment
Presence.Read.All
Used for future real-time card logic (optional)
TeamsAppInstallation.ReadWriteForUser
Manage Teams app installations for end users
Directory.Read.All
Look up directory data to map users between Microsoft and SAP
These permissions must be approved by a Global Administrator or Privileged Role Administrator.
🔐 Looply does not store or access data outside these permissions. All access is authorized and logged.
SAP Workflow Authentication Model
When a Microsoft Teams user interacts with an approval-bound notification generated by Looply (for example, approving a Purchase Order), Looply authenticates the user's action back into SAP on their behalf.
Looply currently supports the following authentication methods for SAP workflows:
Basic Authentication
SAP Dialog user credentials are securely passed at runtime. Typically used in simpler or legacy SAP landscapes.
OAuth 2.0 Authorization Code Grant
Azure AD authenticated user flow exchanging OAuth tokens for SAP Gateway access.
SAML 2.0 Bearer Assertion (OBO Flow)
Microsoft Teams user identity is propagated to SAP using a SAML Assertion issued by Azure AD, exchanged for an SAP OAuth token. Supports full delegated access without credential storage.
📌 Important: This authentication approach is designed specifically for SAP ECC and S/4HANA workflows. Other systems may require different identity propagation models depending on their capabilities.
Security Architecture Highlights
Data Access: Looply does not store or cache SAP or Microsoft user data beyond workflow runtime. All data is processed in memory or temporarily held for workflow context.
Encryption: All communication between Looply, Microsoft Graph, and SAP is encrypted over HTTPS using TLS 1.2+
Data Isolation: Each customer tenant is logically and cryptographically isolated. Dedicated and private cloud models offer additional VPC-level isolation.
Role-Based Access Control (RBAC): Looply supports two roles: Admin and Developer. Admins manage Teams integration and users. Developers design workflows.
Audit Logging: All admin actions and workflow runs are logged for traceability.
Architecture Diagrams & Compliance Packages
Looply provides architecture reference diagrams, information security policy, security standards upon request. These are suitable for:
Internal IT security reviews
Governance or compliance assessments
Risk analysis documentation
Next Step
Last updated