Technical / Security Overview
The Secure Contacts App (SCA) provides enterprise-grade security for managing business contacts on mobile devices. Its architecture balances strong data protection, GDPR compliance, and seamless integration with Microsoft Intune and Azure Active Directory (AAD).
Security Concept
Encrypted Container: The app functions as a protected and encrypted container, preventing uncontrolled data leakage to third-party apps or services.
Data Ownership: All personal and business contact data remains under the control of the customer organization.
No Telemetry or External Connections: SCA does not collect any telemetry data and only connects to Microsoft Azure Cloud endpoints. No data is sent to the app provider or any other third-party services.
Data Sources
SCA consolidates contact information from trusted organizational sources:
Azure Active Directory (AAD): Central directory for organizational contacts.
Global Address List (GAL): Complete organizational contact list.
Personal Outlook Contacts (APC): User-specific contacts from Exchange Online.
Optional sources (if enabled by the organization):
Microsoft Dynamics 365 (D365)
Microsoft Dataverse (DVRS) – for contacts stored by apps built on Microsoft Dataverse
Azure Blob Storage (ABS) – for contacts exported from any app (including on-premises) via CSV/JSON using the SCA Blob Storage connector
Shared Mailbox Contacts (SMC) – part of Exchange Online
SCA accesses only backend services within the customer’s Azure tenant, including Microsoft Graph API and optionally Dataverse and Blob Storage. There are no external backend servers, remote monitoring, analytics, or data collection by Secure Contacts.
Azure Enterprise App Registration: SCA is registered as an Azure Enterprise Application. Access to organizational data requires admin consent, ensuring that all permissions are granted and controlled by the organization.
Requirements
To deploy and use SCA:
Microsoft 365 Tenant (Worldwide) – required for identity and organizational management.
Azure Active Directory Premium P1 (or higher) – required for Conditional Access, MFA, and identity management.
Exchange Online Plan 1 (or higher) – optional; needed only if accessing personal Outlook contacts (APC) or shared mailbox contacts (SMC).
Mobile Device Management (MDM) System – mandatory; allows management and enforcement of security policies on mobile devices.
Microsoft Intune is preferred for full integration with SCA.
Other MDM systems may be used
These requirements ensure proper security, management, and integration of SCA with Microsoft cloud services and enterprise device policies
Data in Transit
Secure Communication: All API calls and data transactions are encrypted using HTTPS with TLS 1.2 or higher.
After SSL handshake negotiation, SCA and Azure API endpoints use the strongest encryption algorithm available on both sides.
This ensures contact data is protected against interception during synchronization or API calls.
Data at Rest
Contacts are stored locally within the app container in a local encrypted database.
Encryption keys are securely generated and stored in the iOS Keychain or Android Keystore, inaccessible to other apps or users without proper authentication.
Microsoft Intune App Protection Policies (APP) provide an additional layer of container-level security.
Data Deletion: When the app is uninstalled, all locally stored contact data is removed.
Data Processed
SCA processes and stores the following contact information locally:
First and last name
Company name
Position / job title
Email addresses and phone numbers
Profile photo
Contact GUID (internal identifier)
Data source name / ID / priority (e.g., GAL, APC, D365)
Hash ID (for internal matching and lookup)
All data remains within the app container; there is no external storage or monitoring by Secure Contacts. Synchronization occurs only through trusted backend services such as Microsoft Graph API, Dataverse, or Blob Storage.
How Data is Processed by the App
When the app is launched for the first time, or the user performs a pull-to-update gesture, a resync process is started.
SCA queries all configured data sources for which the user has been authorized.
Each received contact is analyzed to:
Remove duplicates
Combine contacts from different sources where possible
Normalize and verify each phone number according to the international standard ITU-T E.164
After processing, contact data is stored in a local encrypted database.
On subsequent app launches, the contact data is loaded directly from the encrypted database.
Authentication
PIN: User-defined personal identifier
Biometric Authentication: Touch ID or Face ID
Azure AD Conditional Access: Enforces security based on device compliance and app protection status
These mechanisms ensure that only authorized users can access sensitive contact data.
Microsoft Intune Integration
SCA integrates with Microsoft Intune, allowing enforcement of App Protection Policies (APP) and Conditional Access Policies (CAP). Centralized management ensures compliance with organizational security requirements.
Data Flow Control
Open-In Control: Prevents opening contact data in unauthorized apps
Copy/Paste Control: Limits copying and pasting from the app
Third-Party Keyboard Restrictions: Disables third-party keyboards to prevent data interception
iCloud and Backup Restrictions: Ensures data remains within the secure app container
No Unintentional Synchronization: Prevents data from syncing with third-party apps such as WhatsApp or Google services
Incoming Call Identification
Instant Caller Recognition: Displays the caller’s full name and company on the device’s native incoming call screen without syncing with the device’s local contacts, ensuring privacy. Works even when the app is not running or offline.
Full Contact Details (Inside App): Position, profile photo, contact source, and presence or Out-of-Office status are visible in the contact’s detail card within the app.
Presence & Out-of-Office: Displays Microsoft Teams presence and Outlook/Microsoft Teams Out-of-Office messages in the contact card. These are retrieved securely via Microsoft Graph API.
Cross-Platform Support: Works on both iOS and Android with enterprise-grade security and privacy protections.
All data used for caller identification remains within approved services or the secure app container, with no external sharing outside the organization.
Compliance and Data Protection
GDPR Compliance: SCA is designed in accordance with GDPR, ensuring all personal data remains under the control of the customer organization.
End-to-End Security: Combines encrypted storage, secure transit, containerization, and controlled authentication to protect sensitive information.
Deployment Scenarios
Private Use / BYOD (Bring Your Own Device): SCA can be installed on personal devices while maintaining enterprise-grade security and data protection. Intune App Protection Policies enforce containerization and prevent data leakage, even on personal devices.
Corporate-Owned / Private-Enabled Devices (COPE): On corporate-owned devices that allow private use, SCA can be deployed with full Intune management and Conditional Access policies, ensuring data is secure while enabling personal use.
Logging & Monitoring
Local Logfile: SCA maintains a daily rotating logfile for app events and diagnostics.
Customer-Controlled Export: Customers may manually export logfiles for support purposes, with the ability to review and remove sensitive information before sharing.
No Automatic Transfer: There is no online or automated mechanism that transfers logs to the app provider. Logfiles remain entirely under the customer’s control unless explicitly exported.
Logs do not contain contact content, ensuring troubleshooting while maintaining data privacy.
Last updated
Was this helpful?