At a glance
| Hetk does | Hetk does not |
|---|---|
| Sync events between Microsoft 365 and Google, iCloud, or another M365 | Sync Teams meeting join links |
| Bi-directional or one-way | Sync attachments |
| Real-time push via Microsoft Graph subscriptions (≤10s typical) | Sync reminders / alarms |
Honour Sensitivity (normal / personal / private / confidential) | Sync event categories or custom properties |
| Preserve all-day events, recurrence, attendees | Sync attendee RSVP / response status (read-only) |
Free / busy via ShowAs (free, tentative, busy, oof, workingelsewhere) | Sync per-event color (calendar color is preserved) |
| Mark synced events as “Busy” with title and details stripped | Support sovereign clouds (GCC, GCC High, DoD, 21Vianet) |
| Sign DPAs on request | Install organisation-wide via Microsoft 365 admin centre |
How sync works with Microsoft 365
Hetk connects to Microsoft 365 through the Microsoft Graph API, the same interface Outlook itself uses. A user signs in once with their work or school account, picks which calendars to sync, and Hetk keeps them current from then on.
OAuth flow
- Authorization Code Flow with PKCE.
- Tenant endpoint:
common(multi-tenant; per-user delegated consent). - Scope requested:
Calendars.ReadWriteplusopenid email profile offline_access. - No admin consent required. No tenant-wide install. No application (app-only) permissions are requested.
- Refresh tokens stored encrypted at rest; access tokens are short-lived.
In plain terms: Calendars.ReadWrite lets Hetk read and write calendar events for the user who signed in, and nothing else on their account. The openid, email, and profile scopes identify the account; offline_access is what lets Hetk keep syncing after the user closes the browser.
What Hetk reads and writes
- Reads: the user’s calendar list and event data within the configured sync window.
- Writes: events into a target calendar that the user explicitly chose during sync setup. Hetk never writes to a calendar the user hasn’t selected as a sync target.
- Does not access: mail, files, contacts, OneDrive, Teams chats, or any non-calendar Graph resource.
Webhooks and latency
- Real-time delivery via Microsoft Graph change notifications (push subscriptions).
- Subscription lifetime: Microsoft caps at 3 days; Hetk creates 2-day subscriptions and renews them automatically 1 day before expiry.
- Validation: Hetk verifies a signed
clientStatetoken on every notification. - End-to-end propagation: typically under 10 seconds.
- Fallback: if a delta link expires (Graph returns HTTP 410), Hetk performs a full re-sync of the affected calendar.
Recipes
Each of these is a sync relationship between two connected calendars. You pick a source, a target, a direction, and the privacy settings; Hetk handles the rest.
Microsoft 365 + Google (Workspace or personal)
Connect your Microsoft 365 account and a Google account, then create a sync relationship between a calendar on each side. Both providers support real-time push, so a change on either side reaches the other within about ten seconds. This is the common setup for someone with a work calendar on one provider and a personal calendar on the other. Walkthroughs for both directions: sync Google with Outlook and sync Outlook with Google.
Two Microsoft 365 accounts (e.g. work + personal)
Connect both Microsoft 365 accounts and create a sync relationship between a calendar on each. A typical use is mirroring a consulting client’s M365 calendar into your own so every commitment shows in one place. Each account authenticates independently against the common endpoint — there is no tenant-to-tenant connection.
Microsoft 365 + Apple iCloud
Connect your Microsoft 365 account and your iCloud account, which connects with an app-specific password rather than OAuth (see /integrations/apple-icloud/). Changes you make in Microsoft 365 reach iCloud quickly, since Hetk writes them out as they happen. Changes that originate in iCloud are picked up on Hetk’s next poll, so that direction is best-effort minutes, not seconds.
For Microsoft 365 administrators
If one of your users has asked you to approve Hetk, this is what the request grants. Hetk uses delegated permissions consented to by that single user. It does not install into your tenant, and it cannot reach any calendar but the ones that user connects.
| Concern | How Hetk handles it |
|---|---|
| Permission model | Delegated permissions only. Per-user OAuth consent. No application / app-only permissions requested. |
| Tenant install | Not supported and not requested. Each user authenticates independently against the common endpoint. |
| Admin consent | Not required for the requested scopes under default Microsoft 365 settings. Admin consent flow is supported if your tenant requires it. |
| Conditional Access | Honoured at sign-in (Hetk uses standard Microsoft Identity Platform endpoints). Device compliance, MFA, named-location policies all apply. |
| Publisher Verification | Hetk is a Microsoft verified publisher. The consent prompt shows the verified-publisher badge for Hetk Technologies OÜ. |
| Token storage | Refresh tokens encrypted at rest in Azure SQL with TDE. Access tokens not persisted longer than necessary. |
| Data residency | Azure App Service and Azure SQL, North Europe region. See /security/ for full detail. |
| Sovereign clouds | Not supported. GCC, GCC High, DoD, and 21Vianet (China) are explicitly out of scope. |
| Domain-wide privacy policy | Supported via DNS TXT record at _hetk.<your-domain>. See /integrations/admin-policy/ for setup. |
| Revocation | Users revoke access via https://myapps.microsoft.com; admins can revoke from Entra Enterprise Applications. |
| Logs and audit | Standard Entra sign-in logs. Hetk does not push custom audit events into customer tenants. |
Privacy controls
Each direction of a sync has its own privacy setting. A user can send full event detail one way and stripped-down busy blocks the other, or mark everything private. Administrators can enforce private sync across a whole domain through a DNS record, described under domain-wide privacy policy.
“Mark as Private” mapping
When a sync relationship is configured to mark synced events as private, Hetk writes to the target as follows:
| Field | Source value | Target value (M365) |
|---|---|---|
subject | “Q3 strategy review with Acme Corp” | “Busy” |
body | (any) | (cleared) |
location | (any) | (cleared) |
attendees | (any) | (cleared) |
sensitivity | normal / personal / private / confidential | private |
showAs | (preserved unless overridden) | (preserved unless overridden) |
Source sensitivity preservation
Without “Mark as Private”, source Sensitivity is preserved 1:1 through sync (MicrosoftCalendarProvider.cs:1144):
normal→normalpersonal→personalprivate→privateconfidential→confidential
Fields synced and not synced
Hetk syncs the parts of an event that say when it is and what it is about. It does not copy Microsoft-specific extras like reminders, categories, or Teams metadata.
Synced
- Title (
subject), description (body.content), location (location.displayName). - Start / end with timezone (
start.dateTime,start.timeZone,end.dateTime,end.timeZone). - All-day flag (
isAllDay). - Organizer email (
organizer.emailAddress.address) — read; target shows the sync identity. - Attendee email list (
attendees[].emailAddress.address) — RSVP responses read but not preserved. - Free / busy (
showAs). - Sensitivity (
sensitivity). - iCalUID (
iCalUId). - Recurring events: series masters expanded server-side to individual instances within the sync window (typically 3 months back, 12 months forward).
Not synced
- Reminders / alarms.
- Attachments.
- Conference data (Teams, Zoom, Webex join links and dial-in info).
- Categories and custom (
extension) properties. - Per-event color (
categoriescolors, calendar color is preserved at the calendar level). - Attendee RSVP responses (accept / decline / tentative).
Pricing
Hetk has two plans. Personal ($15/year or $2/month) supports unlimited calendars and up to 3 sync pairs; Professional ($50/year or $6/month) supports unlimited calendars and up to 8 sync pairs, plus priority support. Both cover bi-directional sync and every privacy control described on this page. New accounts start with a 21-day free trial. Current rates are at /pricing/.
FAQ
Does Hetk request admin consent in my tenant?
No. Under default Microsoft 365 settings, a user can consent to Calendars.ReadWrite themselves — no admin involvement. If your tenant is configured to require admin consent for all third-party apps, the standard Microsoft /adminconsent flow works and the app then appears under Entra Enterprise Applications.
What scopes does Hetk request?
Calendars.ReadWrite (delegated), plus openid, email, profile, and offline_access for sign-in and refresh tokens. Hetk requests no application (app-only) permissions and no access to mail, files, contacts, or Teams.
Does Hetk support GCC, GCC High, or DoD?
No. Hetk runs against the global commercial Microsoft cloud only. GCC, GCC High, DoD, and 21Vianet (China) are not supported, and there is no roadmap commitment to add them.
Does Hetk sync Teams meeting join links?
No. Conference data — Teams, Zoom, and Webex join links and dial-in details — is not synced. A synced event keeps its title, time, location, and attendees, but the meeting link is dropped.
Does Hetk sync shared or delegated calendars?
If a shared calendar appears in the user’s own calendar list (/me/calendars) because they have been granted access to it, the user can select it as a sync source or target. Hetk does not separately discover delegated mailboxes; it works only with the calendars Microsoft Graph returns for the signed-in user. The most common case — mirroring a shared team or project calendar into Google — is covered in How to sync a shared Outlook calendar with Google.
How does Hetk handle resource and room calendars?
Resource and room calendars are not returned by /me/calendars by default, so Hetk does not target them. Hetk syncs the signed-in user’s own calendars, not room or equipment mailboxes.
How long are subscriptions live before they need to renew?
Microsoft Graph caps calendar push subscriptions at three days. Hetk creates two-day subscriptions and renews them automatically one day before they expire, so real-time delivery continues without a gap.
How does Hetk interact with Conditional Access?
Conditional Access is enforced at sign-in. Hetk authenticates through the standard Microsoft Identity Platform endpoints, so device compliance, MFA, and named-location policies all apply when a user connects their account.
How can a user or admin revoke Hetk’s access?
A user can revoke Hetk from https://myapps.microsoft.com. An admin can revoke it for any user from Entra → Enterprise Applications. Once access is revoked, Hetk’s tokens stop working and sync halts.
Where is data stored?
On Azure App Service and Azure SQL in the North Europe region. OAuth tokens are encrypted at rest, and the database uses Transparent Data Encryption. Full detail is on the /security/ page.
For organisation security reviewers
For organisation security reviews, email security@hetk.io. Hetk will sign your DPA on request. Full security documentation: /security/.