Q&A: Riva Insight Web Add-In for Outlook - Security and Performance

Audience: Microsoft 365 administrators, who are deploying the Riva Insight Web add-in.
 

Table of Contents:

• How does the Riva Insight Web Add-in for Outlook communicate with Microsoft 365?
• How does the Riva Insight Web Add-in for Outlook interact with user emails?
• How are user email & calendar data protected at rest, in flight, and during integration with Outlook?
• What are the tokens used by the Riva Insight Web Add-in for Outlook? How are these tokens used, and where are they stored?
• How does the Riva Insight Web Add-in for Outlook handle session states?
• Can failed user logins to the Riva Insight Web Add-in for Outlook cause lockouts in Microsoft Entra ID (formerly known as Azure Active Directory)?
• Does the Riva Outlook Web Add-in adversely affect Outlook performance?

How does the Riva Insight Web Add-in for Outlook communicate with Microsoft 365?

The Outlook web-add in framework provides the plugin with basic information about the current items in the user’s mailbox; where needed, the Graph API is used to read and write extended properties for the item.
 

 How does the Riva Insight Web Add-in for Outlook interact with user emails?

The add-in, when active, will read data on the currently active email in the user’s view, and pull additional contextual information from the CRM that is relevant to the item.

The add-in gives the user the ability to select an email or appointment to sync to the CRM system, and to relate the email or appointment to related CRM entities, like Accounts or Contacts.

During this process, the add-in writes extended properties to the email item. These extended properties are not visible to the end user.
 

How are user email & calendar data protected at rest, in flight, and during integration with Outlook?

All data in flight occurs over secure TLS 1.2 channels. No authentication data is stored at rest.

Temporary access tokens are never stored on the client side. Server-side caches may store tokens in temporary session caches. Data at rest for these stores is always encrypted.
 

What are the tokens used by the Riva Insight Web Add-in for Outlook? How are these tokens used, and where are they stored?

The add-in uses the temporary access token provided to all Outlook web-add ins. This token is never stored or persisted.

It is used as an id token to validate the logged in user, and also to exchange for a different token to access the Graph API. The Graph token is also not stored or persisted.
 

How does the Riva Insight Web Add-in for Outlook handle session states?

Upon login, a secure session is established on the server side of the add-in. The session has a default expiry time of 10 days, which can be configured to a different value.

There are a number of different user authentication mechanisms supported. We recommend the Login with Salesforce flow.
 

Can failed user logins to the Riva Insight Web Add-in for Outlook cause lockouts in Microsoft Entra ID (formerly known as Azure Active Directory)?

The authentication to Azure uses the Outlook Add-in Single Sign-On process. Outlook provides the add-in with a token to use for authentication.

The add-in does not submit any user credentials to Azure; therefore, failed user logins cannot cause the user account to be locked out of Entra ID (Azure AD).
 

Does the Riva Outlook Web Add-in adversely affect Outlook performance?

Outlook Web Add-ins differ from the traditional (legacy) COM-based Windows add-ins. Unlike COM add-ins, Web Add-ins don’t involve code that runs on the desktop or the Outlook client. Nor does it require any additional software to be installed on the client desktop.

For Microsoft 365 Add-ins, Microsoft 365 reads a manifest file which loads the add-in's JavaScript and HTML code from the Riva Insight server, which executes in the context of a browser or WebView control in a sandbox. 

This isolates the add-in code from the Outlook client, therefore it does not adversely affect the performance of Outlook.