Gal Sync Logo Gal Sync
Coming Soon

Enterprise & IT Information

Everything you need to know before granting Microsoft Entra ID (Azure AD) admin consent for Gal Sync.

Zero-Trust Architecture

Gal Sync is engineered to respect strict enterprise compliance boundaries. Unlike competing syncing services, we operate no proprietary backend servers.

Direct Device-to-Graph

Data travels exclusively over encrypted HTTPS directly from the Microsoft Graph API to the user's iOS device. We do not proxy, inspect, or store your tenant's data.

Read-Only Scope

The application only requests User.Read and Directory.Read.All. It is physically incapable of modifying Azure AD profiles or tampering with company data.

Required Graph API Permissions

  • Sign in and read user profile User.Read (Delegated)

    Allows users to authenticate via MSAL and map their own credentials.

  • Read directory data Directory.Read.All (Delegated)

    Allows the app to fetch the Global Address List (GAL) to sync into the local device.

Depending on your Entra ID tenant configurations, standard users may be blocked from granting "Directory.Read.All" themselves. In these cases, Global Admin Consent is required once for the deployment.

Device Isolation Strategy

When syncing contacts into iOS, Gal Sync employs strict data isolation rules to protect the user's personal context alongside corporate data:

  • Creates a dedicated, isolated Contact database group.
  • Cannot read, alter, or export personal iCloud contacts.
  • Fully wipes the corporate group easily upon sign-out.

Have further questions?

Reach out to our engineering team directed at:
[email protected]