Cronofy provides access to calendars by connecting directly to the services that host people's calendars. We support Google, Exchange, Outlook.com, iCloud and Office 365.
When an end user selects Office 365 as their calendar service, Cronofy connects to it by redirecting the user to Microsoft's Office 365 site where they are prompted to log into their account and grant calendar access to Cronofy.
End users are prompted to grant calendar access to Cronofy on a screen similar to this:
Cronofy is managing the connection to Office 365 so this screen refers to Cronofy only.
The permissions requested, reading profile and access to mailboxes, are the minimum permissions Cronofy requires in order to provide the calendar sync service. Calendar data is stored in a user's mailbox and thus we need access to the mailbox.
Whilst this provides access to emails and contacts, Cronofy does not access that data. Nor does Cronofy make it possible for the application being authorized to access that data.
Part of the value we provide our customers is to protect them from having to deal will overly permissive models like this. We've built and operate the secure infrastructure required to ensure that applications only have access to the data and functionality they need in order to deliver their service.
Once the end user clicks Accept on the Office 365 site, they are redirected back to the authorizing application which now has the access they need to their Office 365 calendars.