Body Content Visibility Requirements

Owned by Matthew Sywulak
Last updated: Dec 03, 2021
3 min read

Summary

Within the Observations view for a particular message INKY added the ability to view the body of email directly within the dashboard. As a mail protection provider, INKY takes its responsibility to protect customer data seriously (INKY Privacy Policy). Ensuring we keep with our privacy first approach we’ve implemented a few controls on who can access the body content and when.

If an email is not currently in the user's mail store, then INKY cannot retrieve the message via Microsoft’s Graph API, Google API, or through the “Report This Email” link.

Common scenarios where mail listed on the dashboard cannot be retrieved by INKY:

  • User already deleted the email

  • Message is in the User or Admin Quarantine

  • Logged in admin does not have appropriate level of access on their M365 or Google Workspace Tenant

API Access Requirements

You must enable the appropriate API access for Microsoft 365 or Google Workspace prior to the body content being available within the Observation view.

Microsoft 365

  1. INKY Remediation access must be enabled on the Microsoft Graph API Access settings page

Google Workspace

  1. INKY Domain and Directory and Remediation must be enabled on the Google API Access settings page

View Emails Reported to INKY using the Report This Email link

The first way an INKY admin may have the ability to view the body of a message is when an end user reports a message from their inbox using the “Report This Email” link found in the INKY banner. If the user has the “send raw message” selected when they submit the report, and the report is submitted within the time frame set for encrypted raw storage on the INKY Dashboard, then the following INKY Admins will be able to view the body of the message within the INKY Dashboard.

Allowed INKY Admin Roles:

  • Viewer

  • Analyst

  • Policy Admin

  • Super Admin

If the check box to “Always send raw message (if available) to Inky for analysis (i.e., do not allow end users to opt-out for specific messages)” is selected then all reports will be made visible to the above admins if they are made within the appropriate timeframe.

View all Body Content if logged in as M365 or Google Admin

There are few admin roles within Microsoft 365 or Google Workspace tenants which allow full read access to emails delivered. In following through with our privacy commitment INKY has passed those administrative roles through to the INKY Dashboard when an INKY admin attempts to view the body of a message.

If an admin of INKY is logged in using an account with one these privileges and are an appropriate level INKY admin then body content is available for all messages within the INKY Dashboard.

Allowed INKY Admin Roles:

  • Viewer

  • Analyst

  • Policy Admin

  • Super Admin

Microsoft 365 Roles Required for logged in admin: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

  • Global Administrator: 62e90394-69f5-4237-9190-012177145e10

  • Exchange Administrator: 29232cdf-9323-42fd-ade2-1d097af3e4de

  • Security Administrator: 194ae4cb-b126-40b2-bd5b-6091b380977d

  • Security Operator: 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f

  • Security Reader: 5d6b6bb7-de71-4623-b4af-96380a352509

  • Global Reader: f2ef992c-3afb-46b9-b7cf-a126ee74c451

  • Compliance Administrator: 17315797-102d-40b4-93e0-432062caca18

  • Compliance Data Administrator: e6d1a23a-da11-4be4-9570-befc86d067a7

OR

Google Workspace Role Required for logged in admin:

  • Super Admin

  • Delegated Admins with the following privileges

    • Security Investigation Tool