Security & Identity - What IT Teams Need to Know

Looply is designed with enterprise-grade security, privacy, and identity management as foundational principles. This page explains how Looply handles authentication, authorization, data access, and secure integrations — specifically for IT and security professionals.

Azure Tenant Connection

Looply uses Microsoft Graph APIs to perform the following actions with organizational consent:

Deploy the Looply Teams app across your tenant
Perform directory lookups to resolve users and identities
Monitor and manage app installations

Required Graph API Permissions

The following permissions are requested during Azure tenant connection:

Permission Name

Purpose

openid, offline_access

Authentication and session token management

User.Read, User.ReadBasic.All

Retrieve Teams user profiles

Team.ReadBasic.All, TeamMember.Read.All

Access Teams structure and membership

AppCatalog.ReadWrite.All, AppCatalog.Submit

Deploy Looply app to your Teams environment

Presence.Read.All

Used for future real-time card logic (optional)

TeamsAppInstallation.ReadWriteForUser

Manage Teams app installations for end users

Directory.Read.All

Look up directory data to map users between Microsoft and SAP

These permissions must be approved by a Global Administrator or Privileged Role Administrator.

🔐 Looply does not store or access data outside these permissions. All access is authorized and logged.

SAP Workflow Authentication Model

When a Microsoft Teams user interacts with an approval-bound notification generated by Looply (for example, approving a Purchase Order), Looply authenticates the user's action back into SAP on their behalf.

Looply currently supports the following authentication methods for SAP workflows:

Authentication Type

Description

Basic Authentication

SAP Dialog user credentials are securely passed at runtime. Typically used in simpler or legacy SAP landscapes.

OAuth 2.0 Authorization Code Grant

Azure AD authenticated user flow exchanging OAuth tokens for SAP Gateway access.

SAML 2.0 Bearer Assertion (OBO Flow)

Microsoft Teams user identity is propagated to SAP using a SAML Assertion issued by Azure AD, exchanged for an SAP OAuth token. Supports full delegated access without credential storage.

📌 Important: This authentication approach is designed specifically for SAP ECC and S/4HANA workflows. Other systems may require different identity propagation models depending on their capabilities.

Security Architecture Highlights

Data Access: Looply does not store or cache SAP or Microsoft user data beyond workflow runtime. All data is processed in memory or temporarily held for workflow context.
Encryption: All communication between Looply, Microsoft Graph, and SAP is encrypted over HTTPS using TLS 1.2+
Data Isolation: Each customer tenant is logically and cryptographically isolated. Dedicated and private cloud models offer additional VPC-level isolation.
Role-Based Access Control (RBAC): Looply supports two roles: Admin and Developer. Admins manage Teams integration and users. Developers design workflows.
Audit Logging: All admin actions and workflow runs are logged for traceability.

Architecture Diagrams & Compliance Packages

Looply provides architecture reference diagrams, information security policy, security standards upon request. These are suitable for:

Internal IT security reviews
Governance or compliance assessments
Risk analysis documentation

Next Step

PreviousSAP Integration: ABAP Add-on & Access NextAuthenticating Teams User Actions to Enterprise Systems

Last updated 6 days ago