MSP Sales Process CRM  · Own the Climb

Section 13 · The Technical Appendix

13Integration Setup for IT


This section is written for the customer's IT administrator. It lists exactly what your team authorizes in your Microsoft 365 (or Google) tenant, what those permissions are used for, and what Fox & Crow handles on its side. Share this page with whoever manages your identity provider.

Who does what

Fox & Crow hosts the application, registers and holds the OAuth application credentials, provisions phone numbers, and operates the coaching engine and lead-data services. Your IT team authorizes the application in your tenant so it can act on your reps' behalf. Your reps each grant that consent for their own mailbox and calendar. Nothing below asks you to run or host any software.

Sign-in (SSO)

Users sign in with their existing Microsoft 365 accounts using standard OpenID Connect — the same protocol behind "Sign in with Microsoft" everywhere. The base sign-in requests only basic profile scopes: openid, email, profile, offline_access, and User.Read. No mailbox or calendar access is requested at sign-in.

Microsoft 365 — delegated Graph permissions

To send email and manage calendar invites as the rep, the application requests these delegated Microsoft Graph permissions — and only when a rep clicks "Connect Microsoft 365," never at plain sign-in:

Delegated Graph permissions requested at Connect
PermissionUsed for
Mail.SendSending email from the rep's own mailbox.
Mail.ReadWriteSyncing and filing the rep's mail against accounts; archiving.
Calendars.ReadWriteCreating and updating appointments on the rep's calendar.
OnlineMeetings.ReadWriteGenerating Teams meeting links for appointments.

These are delegated permissions — the app can only ever act as the signed-in rep, on their own mailbox and calendar. There are no application-level or tenant-wide mailbox permissions. Depending on your tenant's consent settings, an administrator may need to grant admin consent once so reps can connect without an individual approval prompt.

What to expect

If your tenant requires admin consent for new applications, the first rep to click "Connect" will be blocked until an administrator approves the application. Granting admin consent once clears it for everyone. Fox & Crow will provide the application's identifier (client ID) and the exact redirect URL for your records.

Optional: a separate cold-outbound mailbox

Teams that run high-volume prospecting often send from a separate "cold-outbound" mailbox on a different domain, to protect the reputation of the primary domain your clients know. That mailbox is connected through a separate, mail-only application that requests just Mail.Send and Mail.ReadWrite — no calendar or meeting access, and it is never used to sign in. This is optional and only relevant if your team adopts a cold-outbound domain.

Google Workspace (alternative to Microsoft)

If your organization uses Google instead, sign-in uses openid email profile, and connecting requests https://www.googleapis.com/auth/calendar.events (calendar and Google Meet), gmail.modify, and gmail.send. The model is identical: delegated, per-user, acting only as the rep.

Zoom (optional)

If your team books Zoom meetings, each rep can connect a Zoom account; the app requests only the meeting:write:meeting scope to create meetings. Optional and per-user.

What Fox & Crow configures (no action from you)

  • Telephony — phone numbers and the calling platform are provisioned and billed by Fox & Crow. No carrier setup on your side.
  • Email tracking, delivery webhooks, and unsubscribe handling — hosted and operated by Fox & Crow on dedicated infrastructure.
  • Lead-data services and the coaching engine — external services Fox & Crow runs; see Section 14 for what data is involved.

A short checklist for IT

  • Confirm users can sign in with Microsoft 365 (OIDC).
  • Grant admin consent to the application if your tenant requires it.
  • Confirm reps can complete "Connect Microsoft 365" and see the three green capability checks.
  • (Optional) Prepare a cold-outbound mailbox/domain if the team wants one.

The bottom line

Delegated, per-user, least-privilege.

Your only real task is authorizing one application in your tenant. It acts solely as each rep, on their own mailbox and calendar, with the narrow set of permissions listed above — nothing more.