Zeit365 is not yet available. We are in active development.
Join the Waitlist

Consent is key

What we need from you and why

Permission Breakdown for Zeit365 Registration

Zeit365 is a professional time tracking and project management application that integrates seamlessly with your Microsoft 365 environment to help you track work time, manage projects, and bill customers effectively. Here's why each permission is essential for the app to function properly:

Core Identity & Authentication

  • - openid - Allows you to securely sign in with your Microsoft 365 account
  • - profile - Displays your name and basic profile information in the app interface
  • - offline_access - Keeps you logged in so you don't have to re-authenticate every time you use the app

User Management & Collaboration

  • - User.Read - Reads your basic user profile to personalize your experience
  • - User.ReadBasic.All - Displays colleague names and basic info when you collaborate on projects or assign time entries to team members

Team & Project Organization

  • - Group.Read.All - Critical for Zeit365's core functionality: The app uses Microsoft 365 Groups to organize your customers and projects. When you create a customer in Zeit365, you link it to a Microsoft 365 Group, which:
  • - Determines access control - Only members of the linked group can view that customer's time entries and project data
  • - Provides customer branding - The group's profile picture becomes the customer's logo in Zeit365
  • - Enables seamless collaboration - Your existing team structure in Microsoft 365 automatically applies to Zeit365
  • - GroupMember.Read.All - Identifies who has access to which customer projects based on group membership, ensuring proper access control and privacy

Document & Workspace Integration

  • - Sites.Read.All - Provides direct links to related SharePoint sites, Teams channels, and Microsoft 365 services for each customer group, so you can quickly access:
  • - Customer documents and files
  • - Team conversations and planning tools (Planner, OneNote)
  • - Shared calendars and resources

Why This Builds Trust

Minimal Data Access: Zeit365 only reads the information it needs - it cannot modify your Microsoft 365 data, delete files, or send emails on your behalf
Leverages Existing Structure: Instead of creating a separate user management system, Zeit365 uses your existing Microsoft 365 groups and permissions, reducing security risks
Transparent Purpose: Every permission directly supports Zeit365's core features of time tracking, project management, and customer billing
Enterprise-Grade Security: Zeit365 uses Microsoft's enterprise authentication system, which means your login credentials never leave Microsoft's secure environment
Granular Access Control: Your Microsoft 365 group memberships automatically determine what customer data you can see in Zeit365, maintaining your organization's existing privacy boundaries

Once you confirm, you'll be asked to Login to your microsoft Account. If you do we will create your Zeit365 App Instance and you will be redirected to your Admin Center!

How We Use Your Tenant's Data (Spoiler: We Don't)

Discover how Zeit365 uses Microsoft's on-user-behalf authorization to ensure your tenant's data stays right where it belongs — under your control.

# Developer's Journal

When you connect Zeit365 to your Microsoft 365 tenant, we don’t gain access to your organization’s raw data — and we built it that way on purpose. Zeit365 operates through on-user-behalf authorization, keeping your data where it belongs: inside your tenant, under your control.

Zeit365 never requests or obtains any write permissions — we can’t modify tenant data in any way, only read what’s necessary for your approved use cases.

If you read our last post — How Zeit365 Ensures Your Tenant’s Data Is Secure — you already know your data lives in its own dedicated, encrypted database.

(If you haven’t yet, grab a coffee ☕ and check it out — it’s the prequel to this one.)

This week, we’re diving into another part of our trust architecture: How Zeit365 interacts with your tenant without ever taking control of it.

1. Working On Your Behalf, Not Over Your Boundaries

When you sign in to Zeit365 with your Microsoft 365 account, the app doesn’t get a “master key.” It receives a delegated permission token — a hall pass 🎟️ that lets it act only as you, within the limits your tenant administrator has approved.

This model, known as on-user-behalf authorization, means:

  • Zeit365 acts as you, never as a system-level admin.
  • Permissions come solely from your Microsoft Entra policies.
  • Access naturally expires once your session ends — And when the hall pass expires, we’re politely kicked out — by design. 👋

Everything Zeit365 does happens within your tenant’s established permissions — never outside of them. And if your administrators remove the delegated (read) permissions from the app registration, Zeit365 immediately loses all access to your tenant data — giving admins full control to stop access at any time, from one place.

2. Built for Zero Overreach

Zeit365 cannot access or explore tenant data beyond what your organization explicitly consents to.

Here’s why:

  • Scoped Access Only Zeit365 requests the minimal Graph permissions needed for your workflow — nothing hidden or excessive.

  • Short-Lived Sessions Tokens automatically expire. There are no background jobs lingering with access.

  • Transparent Audit Trail Every delegated action is logged in Microsoft Graph and traceable by your IT admins.

  • No Raw Data Storage Zeit365 only stores what you create inside the app — projects, customers, and time entries. It never copies or caches tenant content like emails, files, or messages.

3. For the Technically Curious

For the devs, sysadmins, and “show me the RFC” folks: Zeit365 uses the OAuth 2.0 On-Behalf-Of (OBO) flow within the Microsoft Identity Platform.

The OAuth 2.0 On-Behalf-Of Flow: A Technical Deep Dive

The OBO flow allows a service (Zeit365) to obtain a token to call another service (Microsoft Graph) on behalf of a user, without the user’s credentials ever leaving their control.

Technical Components Explained

Step 1–4: User Authentication & Consent

  • User initiates login via Zeit365
  • Microsoft Entra redirects to consent screen
  • User authenticates and grants delegated permissions (not application permissions)
  • Microsoft returns an authorization code (single-use, short-lived)

Step 5–6: Initial Token Exchange

  • Zeit365 exchanges the authorization code for an Access Token (AT)
  • This AT contains:
    • User identity (UPN, Object ID)
    • Scoped permissions (User.Read, Calendars.Read, etc.)
    • Expiration time (typically 1 hour)
    • Audience (api://zeit365.app or similar)
  • AT is tied to the user’s session, not a service account

Step 7–8: On-Behalf-Of Token Exchange

  • Zeit365 backend sends the AT + client assertion (client credentials) to Microsoft
  • Microsoft validates:
    • AT is valid and not expired
    • Assertion proves Zeit365’s identity
    • User’s consent is still active
  • Microsoft issues an OBO token with:
    • Same scopes as the original AT
    • Same user context
    • New expiration (typically 1 hour from issuance)
    • Different audience (https://graph.microsoft.com)

Step 9–10: Graph API Calls

  • Zeit365 uses the OBO token to call Microsoft Graph
  • Graph validates:
    • Token signature and expiration
    • Required permissions (scopes)
    • User’s access rights within their tenant
  • Graph returns only data the user has permission to access

Key Technical Properties

Token Lifecycle:

  • Access Token (AT): ~1 hour lifetime, tied to user session
  • OBO Token: ~1 hour lifetime, automatically refreshed using refresh token when needed
  • Refresh Token: Long-lived (90 days), used to obtain new access tokens without re-authentication

Scope Enforcement:

  • Permissions are additive — Zeit365 can only request scopes explicitly consented to
  • Graph API validates every request against the token’s scopes
  • No privilege escalation — OBO token cannot exceed original AT permissions

Security Guarantees:

  • No credential storage: User passwords never leave Microsoft’s control
  • No tenant-wide access: Tokens are user-scoped, not tenant-scoped
  • Revocability: Admins can revoke all tokens for an app instantly via Entra portal
  • Audit trail: All token usage is logged in Microsoft’s audit logs

Example Token Payload (simplified):

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/{tenant-id}/",
  "appid": "{zeit365-app-id}",
  "oid": "{user-object-id}",
  "scp": "User.Read Calendars.Read",
  "exp": 1735689600,
  "sub": "{user-object-id}"
}

Why This Architecture Matters

  • RFC 8693 Compliance: OBO flow follows the OAuth 2.0 Token Exchange standard
  • Zero Trust Model: Every request is validated independently
  • Principle of Least Privilege: Only requested scopes are granted
  • Transparency: All permissions are visible in Azure portal
  • Revocation Capability: Tokens can be invalidated instantly by admins

No tenant-wide API keys. No invisible service accounts. Just standard, transparent OAuth — exactly as Microsoft intended it, and exactly as your security team can verify.

4. Transparency by Design

Zeit365 was built to operate inside Microsoft 365’s trust model, not outside of it. Your administrators can view or revoke Zeit365’s permissions at any time through your tenant portal. Once access is revoked, all delegated authorization stops immediately.

That level of control isn’t an add-on — it’s a fundamental part of how Zeit365 was designed to earn and maintain your trust.

Trust isn’t assumed — it’s verifiable.

5. Building Trust Through Boundaries

At Zeit365, respecting those boundaries isn’t just security hygiene — it’s how we define trust. Your tenant remains your environment; your data remains your property. Zeit365 simply works within those boundaries to track time and organize work, safely and transparently.

If you enjoy reading about secure design and data protection, don’t miss our previous blog post: 👉 How Zeit365 Ensures Your Tenant’s Data Is Secure — this one builds directly on top of it.

TL;DR

  • Zeit365 acts on your behalf, never as an admin.
  • All tokens are short-lived and permission-scoped.
  • Zeit365 does not access, copy, or store tenant content.
  • Every action is auditable and visible to your admins.
  • You maintain full control and revocability at all times.

Your tenant stays your fortress. We just help you track your team’s time inside it — simply, securely, and transparently. 🕒

Explore More

Curious to see how delegated authorization and tenant-level isolation work together inside Zeit365? Join our Alpha Program and be among the first to experience secure, tenant-aligned time tracking built for Microsoft 365 users.

👉 Join the Waitlist for Early Access →

Until next time — keep your tokens short, your scopes tight, and your data exactly where it belongs.

Adrian Buckel

Adrian Buckel 🚀 Designing Zeit365

UI/UX Designer at Zeit365. I craft intuitive, accessible interfaces and design systems for our Microsoft 365–native apps. Happy to chat about UX strategy, prototyping, and micro‑interactions. 👋🏻

Send me a message ✌🏻