This article will cover the process of preparing Microsoft 365 for integration with Evoko Home.
As support by Microsoft for Basic Authentication will end on October 1st, 2022 it will also not be supported by Evoko Home. All preparation for O365 must follow the Modern Auth protocol as of October 1st, 2022.
Modern Authentication: Commonly referred to as "oAuth." relies on the Global Administrator in your organization to grant permission to the Evoko Home Service to access the EWS application through an oAuth flow in Azure Active Directory. The Evoko Home Service can access EWS using a certificate-based authentication flow.
Here are the following steps to prepare O365 for your Evoko Liso.
- Create a Service Account
- Grant Impersonation rights to the Service Account
- Create Room Resources
- oAuth Preparation
Create a Service Account.
The Service Account will be used for authentication and carrying the requests between Evoko Home and Microsoft 365 via EWS. Therefore we recommend creating a dedicated account for this purpose.
To create the service account, follow the below steps, please note that you will need Administrator permission to do these steps.
- Go the Exchange Admin Center here: https://admin.microsoft.com/ and login with your Office 365 Admin Account.
- Navigate to Users -> Active Users
- Press Add a User
- You will now set up the basics for your Service Account. You can use any naming scheme that you would like, but we recommend to use something to easily identify that this account is going to be used for the Evoko Liso. Once you have entered the Name, Display Name and Username you can press Next.
- It is important that the service account has a mailbox, so we must provide it an Exchange Online License. In this guide we will be applying the account an E1 License. Press Next. You may be prompted to add additional licenses. Proceed once the license has been added.
- There are no optional settings that need to be applied to this account. Press Next
- This will bring you the Review and Finish page. Verify your information is correct and press Finish Adding.
- You will see the successful message that the account has been created like the one shown here.
- You should now open an incognito/private window in your browser and make sure you can log into portal.office.com with the newly created Service Account. It's important that you can access the Outlook Inbox. If the account is brand new-the inbox does not open until the first time the account is logged into. If you do not log into the account and open the inbox for the first time you will run into issues later when connecting Evoko Home to O365.
- Important! Make sure the service account must be excluded from any MFA/Conditional Access Policy.
Grant Impersonation rights to the Service Account
Impersonation rights can be granted via the M365 Admin Center. Having the service account granted with Impersonation permission is a requirement to successfully integrate Evoko Liso with your Microsoft 365 environment.
The blow method will grant your service account with the Microsoft Application Impersonation permission.
- Navigate to https://admin.exchange.microsoft.com/ and log in with Exchange Admin Account.
- Navigate to Roles on the left hand side, then to Admin Roles.
- Navigate to Add Role Group
- Here we will add some information to the Role Group. We recommend using a name that can easily identify this role is for Evoko Home. "Description" is up to the user, and the "Write Scope" should be kept at the default. Press Next.
- Scroll to ApplicationImpersonation as shown here and press Next.
- Now we will assign admins to this group. Add the previously made Service Account as a member. Press Next
Create Room Resource Accounts
Room mailboxes can also be called resource mailboxes. These are the calendars that are being used to book rooms for example from Outlook.
Evoko Home will sync the data of the room mailbox's calendar so the meeting will be populated via Evoko Home to the Evoko Liso outside of the meeting rooms.
Please make sure the room resource is not hidden from the global address list in Exchange.
- Go to https://portal.office.com/adminportal/home and log in with your Exchange Admin Account
- From the 365 Admin Center, navigate to "Resources" and then click on "Rooms and Equipment."
- Press Add a Resource
- Resource type should be Room. Add a Name and Email for the resource account. Make sure the domain matches the domain of the Service Account you created in the previous step. Press Save when done.
- Once the Resource Mailbox is created, you should see a message like this.
- Click on Edit Booking Options and make sure that Auto Accept Meeting Requests is selected.
- Note! to create several resource accounts simply repeat above.
To use oAuth with EWS for Office 365, you have to register a custom application in the Azure Active Directory for the Office 365 tenant. When installing Evoko Home you will need both the Tenant ID and Application ID from Azure to complete the configuration with O365.
The first piece of information we need is the Tenant ID.
- Navigate to the Azure Active Directory Admin Center by going here and logging in with your Admin Account: https://aad.portal.azure.com/
- Navigate to Azure Active Directory in left panel and click Properties under Manage section.
- Open notepad/text edit on your computer and write down the Tennant ID for your organization. We will need this ID in a later step when we connect Evoko Home to O365. It is shown here in this screenshot:
The second step is to Register the Evoko Home App for use with oAuth. Follow this guide to get that completed:
- Navigate to App Registrations to open the App registrations page.
- Click the New Registration button.
- Fill in the Name add a Web Redirect URL for https://localhost We recommend the naming scheme to identify it is for the Evoko Home Application so it can easily be referenced in the future. Once complete - click Register
- Once the application is created, you can see the details page. Add this Application (client) ID to your notepad as we will need this too during the Evoko Home configuration wizard that will be needed in a later step.
- Navigate to Authentication.
- Scroll down and enable Allow Public Client Flows by selecting Yes.
- Press Save
- Navigate to API Permissions
- Click Add a permission button.
- Click on APIs my organization uses. Search for "Office" and Press "Office 365 Exchange Online.
- In the permission selection page, select “Delegated Permission”, which will open the list of permissions for Delegated access. Expand “EWS” and select “EWS.AccessAsUser.All”. Click the Add permission button.
- You should now see the application permissions.
- The last step is to Grant Admin Consent for your Organization.
- Press Yes
- You should now see the permissions granted.