Integration options for Google Workspace and Microsoft 365

why does your team want to integrate with ashby? please note that the integrations outlined in this section are the platform integrations found in the integration marketplace ashby also supports authentication only integrations that enable users to log in to ashby without a platform integration being enabled (google sign in, microsoft sign in) ashby integrates with google workspace and microsoft 365 to provide features that enhance hiring speed and efficiency these integrations increase the risk profile of ashby as a vendor, but provide significant benefits to your talent team ashby requests access to the emails and calendars of your team members involved in the hiring process ashby will store a subset of this data in our database to allow us to provide a fast and reliable user experience our database is encrypted at rest, logically separated by customer, and behind a vpc all data transmitted between your it systems, ashby’s servers, and ashby’s clients are encrypted in transit for more information, please read our security overview ashby can only integrate with one platform integration at a time see docid 92txkuc2vvmorzxeptmkj for more details you can also click the links before to be taken to the platform integration you're planning to use for more information /#google workspace platform integration /#microsoft 365 platform integration benefits of access (with examples) this section explains the benefits ashby provides for the access we request without this access, the functionality described will not be available email sync when ashby can send email through your email provider (e g , gmail), your talent team and hiring managers can utilize the following functionality send emails using predefined templates in ashby this creates a consistent candidate experience, from standardizing rejection explanations to how offers are made send emails on behalf of another user for instance, this can be used to automatically email a candidate from the hiring manager or recruiter upon moving them to a certain stage when ashby can read emails through your email provider, your talent team and hiring managers can utilize the following functionality send sequences of emails to attract passive candidates the sequence is paused when the candidate replies; this requires reading the email of the sequence sender most talent teams make a significant percentage of hires from passive candidates display communication with a candidate on the candidate’s profile this allows a hiring team to coordinate communication (e g , not repeat things already shared with the candidate, make sure the hiring team reaches out to congratulate the candidate on their offer) and not have to transcribe notes from their email communication (e g , determine what links or information were already shared with the candidate) scheduling your talent team will need to schedule interviews in ashby to request and capture interviewer feedback when ashby can create calendar events, your talent team can schedule interviews in ashby without copying that information to your calendar provider (e g , google calendar) when ashby can read the calendars of interviewers and their calendar events, it allows your talent team to schedule with a more efficient interface manually and even automate scheduling with candidate booking links, candidates can pick an interview time convenient for them based on the availability of potential interviewers this saves your talent team the back and forth of requesting availability and cross referencing it with interviewers' calendars specific event titles can be considered free or soft conflicts with our scheduling keywords feature this saves your talent team of contacting the meeting owner to determine if a meeting can be booked over for instance, most organizations consider one on ones (e g , using the keywords “1 1” or “1 1”) to be easily rescheduleable and consequently a free or soft conflict or scheduling interviews in some cases, your team will need to schedule a candidate manually ashby provides a more efficient interface than calendar clients to cross reference multiple calendars, the candidate’s availability, and consider recruiting specific information like interviewer load google sign in and microsoft sign in ashby supports signing in with google and microsoft without having a platform integration enabled this integration simply verifies identity and is unrelated to the platform integrations found in ashby admin these integrations require access to user information to work single sign on and directory sync ashby supports integrating with many third party external identity providers (external idps) we use workos as middleware to facilitate this supported external idps include, but are not limited to okta entra id (saml in scim) google oauth onelogin see docid\ xjhagvxjeduakq cn6eue for more details google workspace platform integration this section details the google workspace integration that powers email and calendar sync functionality it does not include ashby’s google sign in or sso/scim integrations see google workspace for more details about setting up the email and scheduling integration what does it do? ashby integrates with google workspace to enable key features like displaying your conversations with candidates in the candidate profile feed and scheduling interviews directly in ashby the integration supports the following user sync google workspace users to automatically provision/de provision them as ashby users email • sync emails between candidates and users (based on inspecting to/from headers) • send emails and email sequences from within ashby scheduling • sync employee calendars • send event invites • sync meeting rooms none of these options are required, but all are recommended for the best user experience with ashby what access controls are in place? we understand that email and calendar data are very sensitive information, and we put access controls in place in ashby to only show data that is relevant to the hiring process we also apply a strict permission system within ashby where users are granted access to jobs and candidate records on a need to know basis (see “access control” below) our default user access is very limited, and can’t access any candidate or job data employees cannot access their candidate profile (their candidate profile must be linked to their employee profile in ashby to prevent this) and we support truly confidential jobs that only the creator and those they give access to can see email ashby syncs and displays email when relevant to the hiring process only emails from ashby users with an “elevated access” or “organization admin” role are synced since these roles are assigned to employees involved in the hiring process from these users, we only store emails sent from ashby or involving a candidate emails containing a to, cc, or bcc with the candidate’s email and subsequent emails marked by the email provider as being in the email thread emails sent from ashby and subsequent emails marked by the email provider as being in the email thread ashby provides additional controls within the application to mark emails as private and automatically mark emails during the offer stage as private viewing these emails requires an explicit access role in ashby hide emails when a candidate moves to offer and hired stages not sync emails related to a candidate after they are hired not sync emails related to a candidate considered for a confidential job calendars ashby syncs all accessible calendars and events on those calendars when visibility controls are enabled on calendars and calendar events, for instance, only showing a specific event as "free" or "busy" or marking an event as a private event, ashby respects such controls and does not display the event details during scheduling ashby supports shared calendars (e g , “interviews” calendar) personal calendars will still be used to determine interviewer availability during scheduling what are the options for integrating? we currently support domain wide delegation and individual user oauth we recommend using domain wide delegation, but also support using oauth for email and scheduling we also offer lower privilege alternatives to these integration options, which you can view below domain wide delegation using domain wide delegation, all users in your workspace will be added to ashby, and ashby will have the same permissions relative to all users (specifically, their emails and calendars) however, ashby does not sync email from limited access users, even if its permissions technically allow it to the permissions requested through domain wide delegation are permission requested google’s description required for feature sync users see info about users on your domain automatically adding users to ashby if turned off, ashby users will need to be added, removed, and modified (e g name updates) manually by ashby admins even if domain wide calendar/email sync is enabled, only users who have logged in to ashby at least once will be synced sync meetings rooms view calendar resources on your domain add meeting rooms to ashby scheduling if turned off, ashby users cannot see or view meeting room availability when scheduling read/write shared calendars see, edit, share, and permanently delete all the calendars you can access using google calendar view and edit events on all your calendars shared interview calendars in scheduling if turned off, ashby users cannot see calendars such as shared interview calendars or schedules on shared calendars read/write personal calendars see, edit, share, and permanently delete all the calendars you can access using google calendar view and edit events on all your calendars scheduling interviews through ashby if turned off, ashby users cannot see calendars of potential interviewers when scheduling nor schedule on personal calendars read email read all resources and their metadata—no write operations sequences (sourcing) and communications with candidates using a recruiter’s email address if turned off, ashby users cannot see email correspondence; emails and sequences can only be sent from no reply\@ashbyhq com this is still possible with oauth but to function properly needs all users corresponding with candidates to oauth as an alternative to disabling this, see limited email sync below send email send messages only no read or modify privileges on mailbox sequences (sourcing) and communications with candidates through ashby using a recruiter’s email address if turned off, sequences, offer letters, and one off email cannot be sent from user emails, only no reply\@ashbyhq com individual user oauth using oauth, each user can separately authorize ashby for a full list of scopes, provided below (in their personal settings) it is not possible for a given user to only allow some of the scopes (they can accept all or none) here is the full list of requested scopes https //www googleapis com/auth/userinfo profile https //www googleapis com/auth/userinfo email https //www googleapis com/auth/gmail send https //www googleapis com/auth/gmail readonly https //www googleapis com/auth/calendar https //www googleapis com/auth/calendar readonly https //www googleapis com/auth/calendar events any users without oauth will not have their candidate communication synced with ashby, cannot send emails from ashby, and cannot be automatically scheduled through ashby the permissions available with oauth are, for a recruiter or member of the hiring team that accepts those scopes permission requested google’s description required for feature read/write shared calendars see, edit, share, and permanently delete all the calendars you can access using google calendar view and edit events on all your calendars shared interview calendars in scheduling if turned off, ashby users cannot see calendars such as shared interview calendars nor schedule on shared calendars read/write personal calendars see, edit, share, and permanently delete all the calendars you can access using google calendar view and edit events on all your calendars scheduling interviews through ashby if turned off, ashby users cannot see calendars of potential interviewers when scheduling nor schedule on personal calendars (the interviewer has to also accept this in the case of individual oauth ) read email read all resources and their metadata—no write operations sequences (sourcing) and communications with candidates using a recruiter’s email address if turned off, ashby users cannot see email correspondence; emails and sequences can only be sent from no reply\@ashbyhq com to function properly, this needs all users corresponding with candidates to oauth as an alternative to disabling this, see limited email sync below send email send messages only no read or modify privileges on mailbox sequences (sourcing) and communications with candidates through ashby using a recruiter’s email address if turned off, sequences, offer letters, and one off email cannot be sent from user emails, only no reply\@ashbyhq com lower privilege alternatives for google workspace while we recommend the above integration methods for ashby customers—widely adopted even in sensitive industries like finance and health care—we understand that some security teams may have different risk assessments to address this, we offer alternatives with more restricted access, though these come with reduced functionality for your talent team limited email sync for google workspace for customers using domain delegation, we offer a "limited email sync" option this syncs only email metadata—such as recipient, sender, bcc, and subject line—while excluding the email body as a result ashby no longer requires the https //www googleapis com/auth/gmail readonly scope the scope https //www googleapis com/auth/gmail metadata can be used instead ashby cannot reference email content functionality impact email sequences will continue to work, as ashby can detect candidate replies however, the talent team will need to contact users directly to view the email body oauth a separate google workspace account for each hiring team member if you prefer not to provide access to internal employee accounts, you can create dedicated email accounts for hiring team members (e g , \[employee name]@\[secondary domain]) under a separate domain within your organization limitations team members must manage two inboxes their primary inbox and the separate hiring account internal calendar access is restricted, impacting ashby’s automated and manual scheduling features workaround (google workspace) calendars can be manually shared with these accounts for partial visibility, but ongoing maintenance is required as new accounts or calendars are added oauth a shared google workspace account alternatively, you can create a shared email/calendar account (e g , hiring@\[your domain]) for the talent team to use this account can be shared in ashby for sending emails and managing scheduling limitations candidate experience is compromised emails will not show the recruiter’s name communication cannot be visually separated by role (e g , recruiter vs hiring manager) restricting access to interviewer calendars prevents the use of automated and manual scheduling features in google workspace, calendars can be shared with the shared account to enable partial visibility microsoft 365 platform integration this section details the microsoft 365 integration that powers email and calendar sync functionality it does not include ashby’s microsoft sign in or sso/scim integrations see microsoft 365 for more details about setting up the email and scheduling integration what does it do? ashby integrates with microsoft 365 to enable key features like displaying your conversations with candidates in the candidate profile feed and scheduling interviews directly in ashby the integration supports the following user • sync microsoft users to automatically provision/de provision them as ashby users email • sync emails between candidates and users (based on inspecting to/from headers) • send emails and email sequences from within ashby scheduling • sync employee calendars • send event invites • sync meeting rooms if provisioning users via the default integration, all users in your microsoft account will be synced for large organizations we recommend skipping this and managing user sync using directory sync see docid\ xjhagvxjeduakq cn6eue for more information none of these options are required, but all are recommended for the best user experience with ashby details on microsoft 365 email access and metadata handling ashby’s microsoft 365 integration enables customers to sync user inboxes and calendar data for recruiting workflows such as candidate replies, sourcing sequences, and interview scheduling this section outlines what data ashby accesses, how it is processed, and what is stored when using the microsoft graph api with mail readwrite permissions summary of email processing when a user connects their microsoft 365 account in ashby, ashby registers change notifications (webhooks) for that user’s inbox and sent items folders when a new or updated message is detected, ashby fetches the message using microsoft graph evaluates a defined set of metadata fields determines whether the message is relevant to an active candidate or job application (e g , by matching the sender or recipient to a known candidate email address) if the message is relevant, ashby retrieves and stores the full email body if not, ashby discards the message and does not persist it metadata fields accessed ashby uses the microsoft graph api’s $select parameter to restrict the fields it accesses when evaluating a message these fields include bccrecipients ccrecipients conversationid conversationindex from id internetmessageheaders internetmessageid isdraft receiveddatetime replyto sender sentdatetime subject torecipients these fields are used exclusively to determine whether the email should be associated with an active candidate record data that is stored ashby only stores the full content of an email if it is determined to be related to a candidate or sourcing activity otherwise, the email is evaluated in memory and discarded this selective access pattern ensures that ashby only persists recruiting relevant communications while operating within the broader constraints of microsoft’s graph api (which does not offer more granular email scopes like google’s metadata) access scope ashby uses the mail readwrite permission scope as required by microsoft to access messages this permission enables reading, writing, updating, and deleting emails, however, ashby only uses it to read and associate relevant emails with candidate workflows and does not write or delete messages in user inboxes compliance notes ashby does not store or process non recruiting related emails ashby does not fetch the full email body unless the message is recruiting relevant this behavior applies across both standard microsoft 365 and gcc tenants what are the options for integrating? microsoft 365 can integrate with ashby in the following ways the full documentation on how the integration is set up is docid eaaljgrtew uoxtk8i7 custom azure application application wide authorization (recommended for most teams) oauth we also offer lower privilege alternatives to these integration options, which you can view below custom azure application with a custom application, your team can fully configure a custom application and integrate it with ashby this option is recommended for teams who want full control over the access granted to ashby from the outset see docid\ wlpeo48evoa15qd5ty q6 for more details application wide authorization permissions are all or nothing when authorizing the ashby integration with microsoft 365 however, you can revoke individual permissions afterward in azure, with the understanding that listed features in ashby will not function permission requested microsoft's description required for feature user read all "allows the app to read user profiles" automatically adding users to ashby if turned off, ashby users will need to be added, removed, and modified (e g name updates) manually by ashby admins even if domain wide calendar/email sync is enabled, only users who have logged in to ashby at least once will be synced group read all "allows the app to read group properties and memberships, and read conversations for all groups" shared interview calendars in scheduling if turned off, ashby users cannot see calendars such as shared interview calendars nor schedule on shared calendars mailboxsettings read "allows the app to read user's mailbox settings does not include permission to read \[or send] mail " employee timezone sync allows accurate timezone settings in scheduling mail send "allows the app to send mail" sequences (sourcing) and communications with candidates using a recruiter’s email address if turned off, ashby users cannot see email correspondence; emails and sequences can only be sent from no reply\@ashbyhq com to function properly, this needs all users corresponding with candidates to oauth as an alternative to disabling this, see limited email sync below mail readwrite "allows the app to create, read, update, and delete mail does not include permission to send mail " sequences (sourcing) and communications with candidates using a recruiter’s email address if turned off, ashby users cannot see email correspondence; emails and sequences can only be sent from no reply\@ashbyhq com to function properly, this needs all users corresponding with candidates to oauth as an alternative to disabling this, see limited email sync below calendars readwrite "allows the app to create, read, update, and delete calendar events " does not include events on group calendars scheduling interviews through ashby if turned off, ashby users cannot see calendars of potential interviewers when scheduling nor schedule on personal calendars (the interviewer has to also accept this in the case of individual oauth ) oauth when users individually authorize ashby for microsoft office 365, we ask for two extra permissions for meetings and shared calendar integrations like with google workspace oauth, users can grant access to all or none of those permissions, not to a subset permission requested microsoft's description required for feature user read all "allows the app to read user profiles" automatically adding users to ashby if turned off, ashby users will need to be added, removed, and modified (e g name updates) manually by ashby admins even if domain wide calendar/email sync is enabled, only users who have logged in to ashby at least once will be synced group read all "allows the app to read group properties and memberships, and read conversations for all groups" shared interview calendars in scheduling if turned off, ashby users cannot see calendars such as shared interview calendars nor schedule on shared calendars mailboxsettings read "allows the app to read user's mailbox settings does not include permission to read \[or send] mail " employee timezone sync allows accurate timezone settings in scheduling mail send "allows the app to send mail" sequences (sourcing) and communications with candidates using a recruiter’s email address if turned off, ashby users cannot see email correspondence; emails and sequences can only be sent from no reply\@ashbyhq com to function properly, this needs all users corresponding with candidates to oauth as an alternative to disabling this, see limited email sync below mail readwrite "allows the app to create, read, update, and delete mail does not include permission to send mail " sequences (sourcing) and communications with candidates using a recruiter’s email address if turned off, ashby users cannot see email correspondence; emails and sequences can only be sent from no reply\@ashbyhq com to function properly, this needs all users corresponding with candidates to oauth as an alternative to disabling this, see limited email sync below calendars readwrite "allows the app to create, read, update, and delete calendar events " does not include events on group calendars scheduling interviews through ashby if turned off, ashby users cannot see calendars of potential interviewers when scheduling nor schedule on personal calendars (the interviewer has to also accept this in the case of individual oauth ) group readwrite all "also allows the app to read and write calendar, conversations, files, and other group content for all groups the user can access " shared interview calendars in scheduling if turned off, ashby users cannot schedule on shared calendars onlinemeetings readwrite "allows the app to read and create online meetings on your behalf " microsoft teams video links in meeting invites in scheduling if using microsoft teams meeting with your microsoft 365 account and this is turned off, ashby won’t be able to automatically add meeting links to scheduled interviews lower privilege alternatives for microsoft 365 while we recommend the above integration methods for ashby customers—widely adopted even in sensitive industries like finance and health care—we understand that some security teams may have different risk assessments to address this, we offer alternatives with more restricted access, though these come with reduced functionality for your talent team oauth a separate google workspace or office 365 account for each hiring team member if you prefer not to provide access to internal employee accounts, you can create dedicated email accounts for hiring team members (e g , employee name\@secondary domain) under a separate domain within your organization limitations team members must manage two inboxes their primary inbox and the separate hiring account internal calendar access is restricted, impacting ashby’s automated and manual scheduling features workaround (google workspace) calendars can be manually shared with these accounts for partial visibility, but ongoing maintenance is required as new accounts or calendars are added oauth a shared google workspace or office 365 account alternatively, you can create a shared email/calendar account (e g , hiring@\[your domain]) for the talent team to use this account can be shared in ashby for sending emails and managing scheduling limitations candidate experience is compromised emails will not show the recruiter’s name communication cannot be visually separated by role (e g , recruiter vs hiring manager) restricting access to interviewer calendars prevents the use of automated and manual scheduling features in google workspace, calendars can be shared with the shared account to enable partial visibility