# Security & Identity - What IT Teams Need to Know Looply is designed with enterprise-grade security, privacy, and identity management as foundational principles. This page explains how Looply handles authentication, authorization, data access, and secure integrations — specifically for IT and security professionals. ### Azure Tenant Connection Looply uses Microsoft Graph APIs to perform the following actions with organizational consent: * Deploy the Looply Teams app across your tenant * Perform directory lookups to resolve users and identities * Monitor and manage app installations #### Required Graph API Permissions The following permissions are requested during Azure tenant connection: | Permission Name | Purpose | | ----------------------------------------------- | ------------------------------------------------------------- | | `openid`, `offline_access` | Authentication and session token management | | `User.Read`, `User.ReadBasic.All` | Retrieve Teams user profiles | | `Team.ReadBasic.All`, `TeamMember.Read.All` | Access Teams structure and membership | | `AppCatalog.ReadWrite.All`, `AppCatalog.Submit` | Deploy Looply app to your Teams environment | | `Presence.Read.All` | Used for future real-time card logic (optional) | | `TeamsAppInstallation.ReadWriteForUser` | Manage Teams app installations for end users | | `Directory.Read.All` | Look up directory data to map users between Microsoft and SAP | These permissions must be approved by a Global Administrator or Privileged Role Administrator. > 🔐 Looply does not store or access data outside these permissions. All access is authorized and logged. ### SAP Workflow Authentication Model When a Microsoft Teams user interacts with an approval-bound notification generated by Looply (for example, approving a Purchase Order), Looply authenticates the user's action back into SAP on their behalf. Looply currently supports the following authentication methods for SAP workflows: | Authentication Type | Description | | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Basic Authentication** | SAP Dialog user credentials are securely passed at runtime. Typically used in simpler or legacy SAP landscapes. | | **OAuth 2.0 Authorization Code Grant** | Azure AD authenticated user flow exchanging OAuth tokens for SAP Gateway access. | | **SAML 2.0 Bearer Assertion (OBO Flow)** | Microsoft Teams user identity is propagated to SAP using a SAML Assertion issued by Azure AD, exchanged for an SAP OAuth token. Supports full delegated access without credential storage. | > 📌 **Important:** This authentication approach is designed specifically for SAP ECC and S/4HANA workflows. Other systems may require different identity propagation models depending on their capabilities. *** ### Security Architecture Highlights * **Data Access**: Looply does not store or cache SAP or Microsoft user data beyond workflow runtime. All data is processed in memory or temporarily held for workflow context. * **Encryption**: All communication between Looply, Microsoft Graph, and SAP is encrypted over HTTPS using TLS 1.2+ * **Data Isolation**: Each customer tenant is logically and cryptographically isolated. Dedicated and private cloud models offer additional VPC-level isolation. * **Role-Based Access Control (RBAC)**: Looply supports two roles: Admin and Developer. Admins manage Teams integration and users. Developers design workflows. * **Audit Logging**: All admin actions and workflow runs are logged for traceability. *** ### Architecture Diagrams & Compliance Packages Looply provides architecture reference diagrams, information security policy, security standards upon request. These are suitable for: * Internal IT security reviews * Governance or compliance assessments * Risk analysis documentation To request, please contact: *** ### Next Step Ready to set up your Looply account and invite your team? Head over to [Signing Up & Onboarding Your Team](https://academy.looply.ai/getting-started/signing-up-onboarding-team).