Email Based Discovery FAQ

What is email-based discovery?

Email-based discovery lets you detect systems and accounts used by any of your company's employees and get insights on which systems are used and which are not.

It scans metadata and subject lines to discover up to 95% of your managed and unmanaged data sources more quickly versus scans from competing privacy vendors. It deducts employee system access, usage frequency and department based on the number and context of the emails received, helping you illuminate shadow IT and more easily diagnose the compliance relevancy and risk profile of data sources from square one.

Other data source discovery scans from MineOS follow traditional methodologies for finding data sources in-use by the company, and can be deployed contiguously with the email scan in order to find a wider array of systems - though we always begin with email and it is usually widely effective.

Regardless of which data source discovery scans you use, Mine's auto-discovery is real-time and continuous, allowing you to immediately recognize and monitor new data sources as they are added by employees, and see the reflected in your data inventory.


How does it work?

By detecting signups, invites, and other meaningful interactions employees receive from companies, MineOS is able to identify any accounts and systems they interact with.


What about security and privacy?

Email-based discovery was built with privacy and security in mind:

  • MineOS only processes email metadata (from, to, date, subject). It never processes email content/attachments.
  • MineOS only processes emails received from companies. It does not process emails employees send, or personal communication inside the company or with external entities.
  • All data is processed in memory and nothing is stored anywhere.

MineOS connects to your email provider using API and authenticated using OAuth 2.0:

  • All data is accessed over an encrypted and secure TLS channel.
  • MineOS is authorized with the minimal set of permissions required to operate. These permissions are documented at the end of this article.
  • You always have control; You can revoke the access at any time from your own systems, and you can control on which employees this is used.
  • You can enable API audit logs and monitor the activity done by MineOS.

Read more about security and privacy at Mine.


How to set up email-based discovery?

All discovery tools are set up using the Radar screen. Specifically, email-based discovery setup is very simple and involves a single step: authorizing MineOS with the required permissions to your email provider. Once set up, MineOS will continuously discover systems and employees and add them to the Radar screen.

The following pages describe the setup process for specific providers:


Which permissions does Mine require for email-based discovery?

Please take a look at the table below for the permissions required depending on the provider you use.


Microsoft 365

Permission Scope Usage


Allows the app to read user profiles without a signed-in user.


Sync the employees list and show who has access to which system


Allows the app to read the organization and related resources without a signed-in user. Related resources include things like subscribed skus and tenant branding information.


Sync the employees list and show who has access to which system


Allows the app to read mail in all mailboxes without a signed-in user.


Analyze email metadata (from,to,subject,date) to detect systems employees are using.


Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.

 Sync the employees list and show who has access to which system

Microsoft Graph API permissions reference:


Google Workspaces

Permission Scope Usage

Scope for only retrieving users or user aliases.


Sync employees list and show who has access to which system


Read all resources and their metadata—no write operations.

Analyze email metadata (from,to,subject,date) to detect systems employees are using.

Note: Gmail also offers a gmail.metadata scope that is limited to metadata only. While its true that Mine only scans email metadata, we still have to use the gmail.readonly scope in order to do server-side filtering. Server-side filtering allows us to process metadata for only relevant emails, rather than process metadata for all emails.


Google APIs permissions reference: