Microsoft 365 Configuration for flexEZ

Microsoft 365 Configuration for flexEZ

Prerequisites

1. Administrator account to Azure: https://portal.azure.com/
2. Administrator account to Office 365: https://outlook.office365.com/ecp/
3. Administrator account to flexEZ
4. Access to Powershell console as an administrator
5. Public DNS to allow incoming traffic from Microsoft Office 365 servers* (*only required for on-premise installation)

Public DNS

flexEZ receives notifications coming from Microsoft 365 servers over port HTTP/S.
If you are running on-premise behind firewalls, a public DNS for incoming requests is essential so that Microsoft Graph can publish notification to flexEZ (see:  https://docs.microsoft.com/en-us/graph/webhooks#firewall-configuration ).
Microsoft Public Cloud IP addresses can be found here:  https://docs.microsoft.com/en-us/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls?view=o365-worldwide  under no.23  Microsoft Graph Change Notifications .
Alternatively, a tunneling solution may be an appropriate option depending on your company's network policies.

Architecture & Concept

flexEZ leverages the OAuth protocol to get access to users’ calendars in order to create, modify, and  delete meeting events in their accounts.

OAuth is an open standard protocol that provides a way for a third party applications to access  data without storing users’ password locally, instead only an encrypted bearer token is provided with a limited lifetime. This means flexEZ is not storing any users' password relative to their Office 365 account.
OAuth process implemented on Microsoft Identify Platform
OAuth Access Token has a lifetime of 1 hour, that can be refreshed using its  corresponding Refresh Token. flexEZ will manage the refresh process automatically.
This is required in order to synchronize calendars between flexEZ and the users thin-or-heavy  client (e.g., OWA/Outlook) without the need of installing a plugin or add-on on the client side. 

Azure Configuration

Application Configuration

The first step in the Microsoft 365 configuration for flexEZ is to register flexEZ in the Azure Console so  that it can be recognized as a trusted 3rd party. This is a required step so that flexEZ can prompt authorization request to Microsoft 365 to the users.

If you are already running a previous version of flexEZ using EWS,  we recommend you do not update the existing application but create a new one instead.

Using an administrator account:
  1. Login to the Azure Console at https://portal.azure.com/
  2. On the main dashboard page, navigate to Azure Active Directory then App registrations



  3. Click New registration button, enter an Application name, and a Redirect URI (provided by oomnis for SaaS version, or you own server URL for on-premise installation)



    Under Authentication , add the flexEZ Redirect URIs  according to your plateform domain (in doubt, please refer to your oomnis flexEZ representative)



    then select ID tokens  as shown below:



  4. Navigate to Certificates & secrets and click New client secret to generate a new secret


    Warning: Keep a note of the secret Value as it will be needed for the next steps.
    When creating the secret, you should create a secret with a long life span (2 years for example).
    With an expired secret, the connector will stop connecting and you will need to create a new secret and update the configuration.

  5. Navigate to API permissions, click Add a permission, and select Microsoft Graph:



  6. Click on Delegated permissions screen, then select the following permissions:
    1. under Chat: select Chat.ReadWrite (required if you are using the Microsoft Teams integration plugin)
    2. under ChatMessage: select ChatMessage.Send (required if you are using the Microsoft Teams integration plugin)
    3. under OnlineMeetings: select OnlineMeetings.ReadWrite (required if you are using the Microsoft Teams integration plugin)
  7. Click on Application permissions screen, then select the following permissions:
    1. under Calendars: select Calendars.ReadWrite
    2. under Chat: select Chat.Create (required if you are using the Microsoft Teams integration plugin)
    3. under Chat: select Chat.ReadWrite.All (required if you are using the Microsoft Teams integration plugin)
  8. Once the permissions have been selected, click Grand admin consent for […], then validate Yes


  9. Last step is optional. Navigate to Branding to customize the application by adding the application logo and information URL.
After creating the application, remember to note the Directory (tenant) ID and Application (client) ID as this will be needed later during flexEZ configuration.
You will be able to find them in the App Registration Overview.


Remember to note the client secret value before closing the window as it will no longer be visible afterwards. It is required for the flexEZ configuration. If
you haven’t noted the client secret , you can generate a new one and update the flexEZ configuration.

Service Account Configuration

The second step is to create a service account in the Azure Console that will be used by flexEZ to  access resources mailbox.

Using an administrator account:
  1. Login to the Azure Console at https://portal.azure.com/
  2. On the main dashboard page, navigate to Azure Active Directory then Users



  3. Click New User to create a new user and enter the user information. Leave the Directory role to User.

Microsoft 365 Configuration

Resources Configuration

The first step in Microsoft365 configuration, if not done yet, is to create resources mailbox for the rooms to be managed by flexEZ.

If you already have your resources configured, you can skip this step.
Using an administrator account:
  1. Login to the Exchange Online Console at https://outlook.office365.com/ecp/
  2. From the dashboard, navigate to Recipients, then Resources



  3. Click +, Room mailbox, and enter the room information



  4. Repeat the operation for each room.

Permissions Configuration

Open a Powershell command window as an administrator and enter the following commands in sequence:
Import-Module ExchangeOnlineManagement
▪ Select Yes when prompted.
Connect-ExchangeOnline
▪ Enter the credentials of an administrator account on Office 365 when prompted.

After successful connection, enter the following command to configure your Office 365 resources:
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'roomMailbox')} | Set-CalendarProcessing -AddOrganizerToSubject $false -DeleteSubject $false -DeleteComments $false -RemovePrivateProperty $false -RemoveOldMeetingMessages $true
After the Powershell command has been executed, you can close the powershell session.

Limit application permissions to specific mailboxes

Microsoft allows access restrictions for the application permission only to some specific mailboxes.
You can implement those limitations following the Microsoft guide:  https://docs.microsoft.com/en-US/graph/auth-limit-mailbox-access

flexEZ Configuration

Using the Tenant ID , the Application ID and the Application Secret Key previously obtained, you can now configure the connection in flexEZ.
Please confirm the Redirection URL and Lifecyle URL with your flexEZ representative.


You can edit your resources to add their email addresses corresponding to their MS365 mailboxes.


    • Related Articles

    • Office 365 Configuration for FlexO Integration (Graph)

      Prerequisites 1. Administrator account to Azure: https://portal.azure.com/ 2. Administrator account to Office 365: https://outlook.office365.com/ecp/ 3. Administrator account to FlexO 4. Access to Powershell console as an administrator 5. Public DNS ...

    • Microsoft Teams Configuration for FlexO (for Online Meeting)

      Prerequisites 1. Administrator account to Azure: https://portal.azure.com/ 2. Administrator account to FlexO Architecture & Concept FlexO leverages the OAuth protocol to get access to users’ account in order to create, modify, and delete teams ...

    • Office 365 Configuration for FlexO Integration (EWS)

      Prerequisites 1. Administrator account to Azure: https://portal.azure.com/ 2. Administrator account to Office 365: https://outlook.office365.com/ecp/ 3. Administrator account to FlexO 4. Access to Powershell console as an administrator 5. Internet ...

    • Teams plugin Configuration for flexEZ

      Prerequisites 1. Administrator account to Microsoft Office365: https://admin.microsoft.com Microsoft 365 Configuration (as an administrator) Teams Configuration Connect to the Microsoft O365 administration console via https://admin.microsoft.com On ...

    • Exchange Configuration for FlexO Integration

      Prerequisites 1.  Administrator account to Exchange Control Panel (ECP):  https://[Exchange-Server-url]/ecp/ 2.  Access to Exchange management shell console as an  Exchange administrator 3.  Administrator account to FlexO Exchange Configuration ...