Designed to be auditable
by your IT team.
We built Effortless Signature Manager with IT administrators in mind. Here's exactly how it works and what we access.
Your email never leaves
Microsoft's infrastructure.
Signatures are applied by Exchange Online transport rules — not by routing mail through our servers. This is the key architectural decision that sets us apart.
No email content stored
We never receive, process, or store the content of your emails. Message bodies and attachments are not accessible to us at any point.
App-only authentication
We use client credentials (app-only) authentication via a registered Azure App. No user accounts. No delegated access. One-time admin consent during onboarding.
Minimum permissions
We request only the scopes we actually need — read access to Entra ID users and groups, and the ability to manage Exchange Online transport rules. Nothing else.
You stay in control
Access can be revoked at any time from your Azure portal. Cancelling your subscription removes our transport rules from Exchange Online immediately.
Encrypted in transit and at rest
All communication between our service and Microsoft APIs uses TLS. Configuration data — signature templates, rules, and Entra ID mappings — is encrypted at rest.
Audit log
Every configuration change made through the console is recorded in an admin audit log, so you always know what changed, when, and who made the change.
Exactly what we access
We believe IT administrators should be able to verify exactly what permissions an application requires before granting access. Here is the complete list of Microsoft Graph API scopes we request and why:
User.Read.All
Read user profiles from Entra ID to populate dynamic signature fields — name, title, phone number, department, and other attributes you choose to include in templates.
Group.Read.All
Read Entra ID group membership so you can target signature rules by department, team, or any security group — without having to manage user lists manually.
TransportRules (Exchange Online PowerShell)
Create, update, and delete Exchange Online transport rules that apply your signature templates to outbound email. This is the mechanism that applies signatures server-side without routing messages through our infrastructure.
We do not request access to mailbox content, calendar data, files, Teams messages, or any other Microsoft 365 workload. The full list of requested permissions is shown during the admin consent screen before access is granted.
Responsible disclosure
If you discover a security vulnerability in Effortless Signature Manager or this website, we ask that you disclose it to us responsibly before making it public.
Please send a description of the issue to security@effortlessapp.cloud. We will acknowledge your report within one business day and work to resolve confirmed issues as quickly as possible.
Contact the team