This connector stores no user data.
- Microsoft tokens are issued to and held by Claude (the client) and presented per request.
The connector validates each token against Microsoft Graph and proxies the call.
- No tokens, mailbox content, calendar data, or user identifiers are written to disk.
- Rate limiting is in-memory and ephemeral; it resets on restart and logs no personal data.
- This onboarding wizard keeps no session or database; the consent step uses a short-lived,
HMAC-signed token for CSRF protection only.
Access is limited to the delegated mail and calendar permissions listed on the
home page, and can be revoked at any time in the Microsoft Entra admin center
(Enterprise applications → this app → Permissions / Delete).