The portal stores tenant ID and consent state needed to operate the admin experience. Microsoft tokens are kept only in the active server-side PHP session and are not stored persistently in MySQL. Source configuration is not stored in the portal database; it is written directly to Entra ID security group descriptions in your tenant.
Consent events are logged with tenant ID, status, and datetime only. Status values include attempt, granted, denied, advanced_attempt, advanced_granted, advanced_denied, and advanced_revoked.
Consent logging does not store the consenting user's name, email, UPN, tenant name, or tenant domain. Contact data is never stored by this portal.
Application errors are written to a local server log for troubleshooting. Logs should be retained only as long as operationally necessary.
Advanced app-only contact folder lookup is optional. If granted, the separate advanced app can use Microsoft Graph application permission Contacts.Read to list contact folders in mailboxes allowed by tenant policy. The portal does not store contact data.