Skip to main content

We've been using the new workflow credentials feature as we migrate our recipe sentences to the new workflow infrastructure.

In our existing recipe sentences, we control all the logic around the OAuth dance and securing the user tokens. We have [self-service mechanisms to revoke and delete the stored token](https://monday-help.dsapps.dev/microsoft-365-office-embedded/revoking-access-to-microsoft-365) for a single user, and for the account admin to delete all stored tokens for the account for example in the event of a data breach.

When using workflow credentials, monday.com takes absracts away all this logic – you just add some configurations, and it works invisibly.


With this in mind, I have some questions regarding security:

## Revoking access

- What is the mechanism for a single user to revoke their user token?
- What is the mechanism for an admin user to revoke all the user tokens for the account?
- If these is not available, when will they be added?
- If these are available, please link to the documentation so that I can update [our own documentation](https://monday-help.dsapps.dev/microsoft-365-office-embedded/workflow-credentials#Workflowcredentials-HowtorevokeaccesstoMicrosoft365).


## Configurable OAuth scopes

We'd like the ability to configure the scopes using in the OAuth dance per account.

The example being that normally we use the `Sites.ReadWrite.All` scope for auth with Microsoft 365, but for enhanced security, some accounts want to use the `Sites.Selected` scope instead where they have to configure the exact access in their Microsoft 365 tenant.

The former is easy as it just works, but the latter requires domain knowledge of your Microsoft 365 configuration to restrict access down to a selected list of sites.

For our own OAuth dance (used in recipe sentences) we can simply add this as an optional configuration in our app's admin settings. If the account requires the enhanced security version, they configure it there before moving on.

With workflow credentials, there is no way I know of for the scopes to be changed, or overridden on a per account basis.

Is this something that can be added based on a switch we add in the admin settings?

I also note that there is no way to add a revoke URL in the workflow credentials configuration UI:
 

 

Is this something that is coming soon?

Terms & ConditionsCookie settingsAccessibility statement