# Security & Identity - What IT Teams Need to Know

Looply is designed with enterprise-grade security, privacy, and identity management as foundational principles. This page explains how Looply handles authentication, authorization, data access, and secure integrations — specifically for IT and security professionals.

### Azure Tenant Connection

Looply uses Microsoft Graph APIs to perform the following actions with organizational consent:

* Deploy the Looply Teams app across your tenant
* Perform directory lookups to resolve users and identities
* Monitor and manage app installations

#### Required Graph API Permissions

The following permissions are requested during Azure tenant connection:

| Permission Name                                 | Purpose                                                       |
| ----------------------------------------------- | ------------------------------------------------------------- |
| `openid`, `offline_access`                      | Authentication and session token management                   |
| `User.Read`, `User.ReadBasic.All`               | Retrieve Teams user profiles                                  |
| `Team.ReadBasic.All`, `TeamMember.Read.All`     | Access Teams structure and membership                         |
| `AppCatalog.ReadWrite.All`, `AppCatalog.Submit` | Deploy Looply app to your Teams environment                   |
| `Presence.Read.All`                             | Used for future real-time card logic (optional)               |
| `TeamsAppInstallation.ReadWriteForUser`         | Manage Teams app installations for end users                  |
| `Directory.Read.All`                            | Look up directory data to map users between Microsoft and SAP |

These permissions must be approved by a Global Administrator or Privileged Role Administrator.

> 🔐 Looply does not store or access data outside these permissions. All access is authorized and logged.

### SAP Workflow Authentication Model

When a Microsoft Teams user interacts with an approval-bound notification generated by Looply (for example, approving a Purchase Order), Looply authenticates the user's action back into SAP on their behalf.

Looply currently supports the following authentication methods for SAP workflows:

| Authentication Type                      | Description                                                                                                                                                                                |
| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Basic Authentication**                 | SAP Dialog user credentials are securely passed at runtime. Typically used in simpler or legacy SAP landscapes.                                                                            |
| **OAuth 2.0 Authorization Code Grant**   | Azure AD authenticated user flow exchanging OAuth tokens for SAP Gateway access.                                                                                                           |
| **SAML 2.0 Bearer Assertion (OBO Flow)** | Microsoft Teams user identity is propagated to SAP using a SAML Assertion issued by Azure AD, exchanged for an SAP OAuth token. Supports full delegated access without credential storage. |

> 📌 **Important:** This authentication approach is designed specifically for SAP ECC and S/4HANA workflows. Other systems may require different identity propagation models depending on their capabilities.

***

### Security Architecture Highlights

* **Data Access**: Looply does not store or cache SAP or Microsoft user data beyond workflow runtime. All data is processed in memory or temporarily held for workflow context.
* **Encryption**: All communication between Looply, Microsoft Graph, and SAP is encrypted over HTTPS using TLS 1.2+
* **Data Isolation**: Each customer tenant is logically and cryptographically isolated. Dedicated and private cloud models offer additional VPC-level isolation.
* **Role-Based Access Control (RBAC)**: Looply supports two roles: Admin and Developer. Admins manage Teams integration and users. Developers design workflows.
* **Audit Logging**: All admin actions and workflow runs are logged for traceability.

***

### Architecture Diagrams & Compliance Packages

Looply provides architecture reference diagrams, information security policy, security standards upon request. These are suitable for:

* Internal IT security reviews
* Governance or compliance assessments
* Risk analysis documentation

To request, please contact: <support@looply.ai>

***

### Next Step

Ready to set up your Looply account and invite your team? Head over to [Signing Up & Onboarding Your Team](https://academy.looply.ai/getting-started/signing-up-onboarding-team).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://academy.looply.ai/security-and-identity-what-it-teams-need-to-know.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.