For Microsoft 365 administrators
Morrow admin approval pack
Information for customer IT teams
Application identity
- Application: Morrow by Amplifiable
- Publisher: Amplifiable Pty Ltd, ACN 695 187 136
- Microsoft application ID:
9ff4ec31-d95d-4aa1-9c9c-0e29e1158182 - Account type: multitenant Microsoft Entra application
- Access model: delegated access for the signed-in user, not application-wide mailbox access
Microsoft 365 connections
Morrow presents Microsoft services as separate connections:
- Outlook: email, calendar, contacts and scheduling.
- OneDrive: files, folders and sharing.
- SharePoint: sites, lists and document libraries.
- Microsoft Teams: chats, channels, meetings and collaboration.
Connecting one service does not connect the others. The approval request supplied by the Morrow user identifies the selected connections and lists the exact delegated permissions requested for them. Your organisation's Microsoft Entra consent policy controls who can approve the request.
How approval and connection work
- The user selects one or more Microsoft connections in Morrow.
- Morrow generates an IT request for the selected connections and permissions.
- An authorised Microsoft 365 administrator reviews the request in the customer's tenant.
- After approval, the user returns to Morrow and completes each selected connection with their own account.
- Microsoft consent sets the technical access available to the connection.
- All Morrow-supported capabilities for that connection are available by default. The user can restrict them in the connection's Review pane.
Token custody and isolation
Morrow uses Composio as its connection broker. Composio's current authentication documentation states that it stores and refreshes credentials against a stable per-user ID, manages the tokens, and does not pass credentials through the customer-facing application or the AI model. Amplifiable stores connection inventory, user consent and audit metadata, not raw Microsoft access or refresh tokens.
Security and data handling
Credential handling. Microsoft credentials do not pass through the Morrow interface or the AI model. Composio stores and refreshes the connected account credentials against the Morrow user's stable connection identity.
Encryption. Composio uses encryption for data in transit and at rest, access controls, security audits and monitoring.
Connection isolation. Connections are bound to a specific Morrow user and office. One user's connection is not used to run another user's Microsoft actions.
Retention and deletion. Personal and usage data is retained only as needed to provide the service or meet legal requirements. A user can disconnect the account in Morrow, and Microsoft administrators can revoke the application's consent in Entra.
Incident contact. Security questions or incident reports can be sent to privacy@amplifiable.com.au.
Administrator options
- Review and approve the delegated permissions under your organisation's Entra consent policy.
- Restrict assignment to the requesting user or an approved group where your tenant policy supports assignment.
- Deny the request and ask Amplifiable for narrower capability requirements.
- Revoke consent later in Microsoft Entra and ask Amplifiable to delete the brokered connection.
The Microsoft administrator approves the application's delegated access. The Morrow user manages what their Morrow may do with each connected service in one place: the connection's Review pane.
Evidence and contact
- Amplifiable Privacy Policy
- Amplifiable Platform Terms
- Composio authentication documentation
- Composio Privacy Policy
- Composio Trust Center
Security or approval questions: privacy@amplifiable.com.au