Product10 min read

Microsoft 365 Calendar for Teams: Booking AI Appointments at Scale

Enterprise-grade Microsoft 365 and Outlook calendar configuration for AI appointment setters. Shared mailboxes, delegate access, Graph API permissions, and compliance.

Why Microsoft 365 is different

Most consumer-grade AI booking tools are built Google-first. For a typical startup running Google Workspace, setup is 5 minutes of OAuth. For a mid-market or enterprise Microsoft 365 shop, the same flow can take days — not because Microsoft is bad, but because Microsoft environments enforce governance, identity, and permission rules that Google environments often skip.

If your IT team runs on Microsoft 365, Azure AD, Exchange Online, and Defender, you already know: nothing connects to Outlook calendars without a real conversation about permissions. This article is that conversation, pre-written for you.

The identity model you need to understand

Microsoft 365 calendars live inside Exchange Online mailboxes, which are governed by Azure AD identities. There are three ways an AI agent can read/write a mailbox:

  • **User-delegated permission (OAuth).** The user grants BookFlow AI consent for their specific mailbox. Works for individual AEs. Needs admin approval in most tenants.
  • **Application permission (service account).** An Azure AD-registered app has tenant-wide permission. Works for pooled calendars and shared mailboxes. Needs Global Admin approval and a documented data flow.
  • **Shared mailbox delegation.** The AI connects to a single shared mailbox that multiple AEs delegate access to. Works for team queues.

Pick one before you schedule a call with IT. The questions below determine which fits.

Before you talk to IT

Write down answers to these. Without them, IT will not approve the integration.

1. What Azure AD permissions does the AI app need? (Scopes: `Calendars.ReadWrite`, `User.Read`, optionally `Mail.Send`.) 2. Which users will the app touch? (Specific AEs, all users, a security group?) 3. Where does transcript/metadata data land? (BookFlow stores it in Supabase, US-hosted, encrypted at rest.) 4. What is the retention policy? (BookFlow default: transcripts retained for the account lifetime; deletable on request.) 5. Is there a signed Data Processing Addendum available? (Yes — contact us for the current version.) 6. Can the app be revoked at any time? (Yes — Azure AD admin can revoke consent with one click.)

Setting up the Azure AD app registration

Your IT admin will need to create an app registration in Azure Active Directory. Here is the minimal config:

  • **Name:** BookFlow AI — Calendar Integration
  • **Supported account types:** Single tenant
  • **Redirect URI:** The BookFlow OAuth callback (provided during onboarding)
  • **API permissions (delegated):** `offline_access`, `User.Read`, `Calendars.ReadWrite`
  • **API permissions (application, if using service account):** `Calendars.ReadWrite` with admin consent granted
  • **Certificates & secrets:** Client secret with 12-month rotation

Once the app is registered, the tenant ID and client ID go into BookFlow’s calendar settings. No code required.

Shared mailboxes and resource calendars

Many US enterprises use shared mailboxes for sales queues (`demos@company.com`, `sdr@company.com`). BookFlow AI supports booking directly onto a shared mailbox, which solves a few problems:

  • No single AE owns the calendar, so no one feels surveilled.
  • New AEs get immediate access via delegation, no app re-consent needed.
  • Time-off and vacation do not break routing.

Resource calendars (conference rooms, equipment, facilities) work the same way. If your demo requires a specific room, BookFlow can check the room’s free/busy alongside the AE’s personal calendar.

Governance without slowing revenue

IT wants audit logs, access reviews, and incident response plans. Revenue wants speed and coverage. The way to satisfy both:

  • **Log every calendar write.** BookFlow logs every event creation, update, and deletion with timestamp, user, lead email, and call ID.
  • **Run quarterly access reviews.** Azure AD has built-in access review workflows — schedule one per quarter.
  • **Document the data map.** What data flows from BookFlow to your tenant, what flows back, where each piece is stored. A one-page diagram satisfies most US enterprise security reviews.
  • **Enable Conditional Access.** Require MFA for admin operations on the BookFlow app in your tenant.

Compliance considerations for US enterprises

US enterprises, especially in regulated industries (healthcare, finance, legal), have additional concerns:

  • **HIPAA.** If your AI handles PHI (it usually should not), you need a BAA. BookFlow’s default flow does not store PHI; customer data is limited to name, email, phone, and call transcript.
  • **FINRA/SEC.** Recordings of customer conversations must be retained per broker-dealer rules. Export transcripts to your WORM-compliant archive.
  • **SOC 2.** BookFlow AI and its underlying infrastructure align with SOC 2 Type II controls.
  • **Data residency.** BookFlow operates from US data centers. If you need EU residency, contact us.

How BookFlow handles Microsoft 365 specifically

BookFlow AI uses the Microsoft Graph API with OAuth 2.0 consent. The integration supports:

  • Personal mailboxes, shared mailboxes, and resource calendars
  • Live Free/Busy queries for double-book prevention
  • Working hours from Outlook settings
  • Recurring events and tentative-event detection
  • Timezone-aware event creation with Windows and IANA timezone identifiers

If you are a Microsoft shop evaluating BookFlow, talk to us about your Azure AD requirements and we will walk through app registration with your IT team.

Frequently asked questions

Does BookFlow AI support Microsoft 365 and Outlook calendars?+
Yes. BookFlow integrates with Microsoft 365 via the Microsoft Graph API using OAuth 2.0. It supports personal mailboxes, shared mailboxes, resource calendars, live Free/Busy queries, working-hours enforcement, and timezone-aware event creation. IT admins create an Azure AD app registration during setup and grant delegated or application permissions.
What Azure AD permissions does BookFlow AI need?+
At minimum: offline_access, User.Read, and Calendars.ReadWrite for delegated access. If you are connecting shared mailboxes or resource calendars at the tenant level, BookFlow also needs Calendars.ReadWrite as an application permission with Global Admin consent. No access to mail content is required unless you opt into email notification features.
Can I connect shared mailboxes for a sales team to BookFlow?+
Yes. BookFlow supports booking onto shared Exchange mailboxes such as demos@company.com or sales@company.com. This lets multiple AEs share a queue without each one granting individual consent. Delegation is managed through standard Microsoft 365 permissions — new reps get access automatically when added to the shared mailbox.
Is BookFlow AI HIPAA compliant for healthcare teams?+
BookFlow is designed not to store PHI in its standard flow — the data captured is limited to name, email, phone, and call transcript. If your use case requires handling PHI, contact our team to discuss a Business Associate Agreement (BAA) and deployment options. BookFlow and its underlying infrastructure support SOC 2 Type II aligned controls.
Can IT admins revoke BookFlow access instantly?+
Yes. Because BookFlow connects via a standard Azure AD app registration, your Global Admin can revoke consent with one click in the Enterprise Applications panel. Access stops immediately and no further calendar reads or writes occur. Every action is logged in Azure AD audit logs and in BookFlow\u2019s own activity log.

People also search for

Related articles

Ready to turn inbound leads into booked meetings? Start a trial or see pricing.

← All posts