Table of contents
Role Propagation Delay - Depending on the configuration of an Exchange server's "Information Cache", adding the Service Account (Impersonation) role to an account can take up to two hours to update.
Create Azure App
App Creation
- Browse to https://portal.azure.com and log in.
- In the menu, click Azure Active Directory.
- Click App Registrations.
- Click New Registration.
- Give your application a name.
- Set the audience for this app to Account in any organizational directory (multi-tenant)
- Set the Redirect URI to Web. The format for the URL should be https://<agency-name-in-sense>.sensehq.com/settings/calendar-sync/auth-result. Remember to fill in the agency name instead of the URL above. If there is a mismatch or the URL is not properly configured, then you will get an error with the actual URL when you attempt to connect the first time in the step 2
- To check the redirect URI, click the Authentication form menu
Enable the Required Permissions
- Go to Home > Azure Active Directory > App Registrations.
- Click on the app you want to configure.
- There are two ways to configure required permissions. One is by editing manifest file (steps 4-7) and other by using API permissions (steps 8-10). Continue with Step 11 once required permissions are configured.
- On the left, click Manifest.
- In the code, look for requiredResourceAccess.
6. Update the requiredResourceAccess to include the Manifest code (mentioned below). If there are existing permissions, this will overwrite them.
"requiredResourceAccess": [
{ "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "266d2589-20b5-4f91-9a03-89247d1be8da",
"type": "Scope"
},
{
"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
"type": "Scope"
}
]
},
{ "resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "14dad69e-099b-42c9-810b-d002981feec1",
"type": "Scope"
},
{
"id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
"type": "Scope"
},
{
"id": "12466101-c9b8-439a-8589-dd09ee67e8e9",
"type": "Scope"
},
{
"id": "2b9c4092-424d-4249-948d-b43879977640",
"type": "Scope"
},
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
},
{
"id": "37f7f235-527c-4136-accd-4a02d197296e",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess":
[
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
]
7. Click Save.
8. On the left, click API Permissions.
9. Click on Add a permission and select permission to add.
10. The following permissions are required -
-
- Azure Active Directory Graph
- User.Read - Sign in and read user profile
- Microsoft Graph
- User.Read - Sign in and read user profile
- profile - View users' basic profile
- openid - Sign users in
- offline_access - Maintain access to data you've given it access to
- Calendars.Read.Shared - Read user calendars
- Calendars.ReadWrite.Shared - Read and write to user calendars
- Office 365 Exchange Online
- EAS.AccessAsUser.All - Access mailboxes via Exchange ActiveSync
- EWS.AccessAsUser.All - Access mailboxes as the signed-in user via Exchange Web Services
- Azure Active Directory Graph
11. All the necessary permissions have now been added. To check the API permissions, click API Permissions from the menu.
12. Provide tenant-wide admin consent to the application by selecting Grant admin consent.
Create the OAuth Credentials
- From within the Azure portal, go to Home > Azure Active Directory > App Registrations.
- Click on the app you want to configure.
- On the left, click Certificates & secrets.
- Click New client secret.
- Enter a description and set an expiration date of 24 months.
- Click Add.
7. Copy the value from the Client secrets page and save it somewhere safe. Once you leave this page, you won't be able to retrieve the value. This value will be used in Step 2 of the service account setup.
Set Tenant Configuration
If your app is configured as Single-Tenant application then you can change it to Multi-Tenant application by following steps -
- From within the Azure portal, go to Home > Azure Active Directory > App Registrations.
- Click on the app you want to configure.
- On the left, click Authentication.
- Select ‘Accounts in any organizational directory (Any Azure AD directory - Multitenant)’ from the Supported account types
- Click Save.
Provide Account Permission
1. Sign in to your Office365 administrator account.
2. Navigate to the Admin Center.
3. Expand the Users section.
4. Select Active users.
5. Click Add a user.
6. Fill in the details for this user.
7. Select Let me create the password and uncheck Require this user to change their password when they first sign in.
8. (Optional) Assign a license to the new user. The user doesn't need a license as long as the account the user is linking through has a license.
9. You can leave the settings as they are on the Optional settings screen.
Give Account Permissions
1. If ‘All admin centers’ is not visible in the sidebar, click Show all.
2. Click Exchange.
3. The Exchange admin center will open in a new window.
4. To open the old UI (classic version), select Classic Exchange admin center from the main menu
5. Click permissions.
6. Click on the + icon to add a new role group and a pop-up window will appear.
7. Click the + icon next to Roles to add a new role to the role group.
8. In the new window that pops up, select ApplicationImpersonation and then add ->.
9. Your new role group should match the following:
10. Click "+" and add a Member.
11. Search for the account you want to permit.
12. Click add ->
13. Click Save.
14. You're done!