Skip to main content

oAuth for Display, or how to set up Exchange integration for Office 365 / Exchange online, also known as oAuth or modern authentification

Pronestor Display needs information from Exchange. This guide shows you how you can integrate Pronestor Display with Exchange using Exchange Web Services (EWS) if you’re using Office 365 or Exchange Online and wants to authenticate using OAuth. You will need administrator rights in Pronestor Display and Azure Active Directory.

  • Go to Azure Active Directory
  • App Registrations
  • New Application

 mceclip0.png

  • Note the Application (client) ID and Directory (tenant) ID, you will need them later in this guide.

 mceclip1.png

 

  • Click API Permissions
  • Click “Add a permission”
  • Choose "APIs my organization uses"
  • Type "office 365 exchange" - and choose that in the list
  • Click “Application Permissions”
  • Select “full_access_as_app” (please see comment below on how to scope/limit this permission)
  • Click “Add permission”
  • Click “Grant Admin consent for Pronestor”

 

  • Open Pronestor Display
  • Go to “settings”
  • Choose “Microsoft Exchange”
  • Enable “Exchange Online” and “Use oAuth”
  • Enter the “Application (client) ID” into “Application ID” field
  • Enter the “Directory (tenant) ID” into “Directory ID” field
  • Click “Save and test connection”
  • Click “Create new certificate”

 

  • Go back to Azure – find the application created
  • Choose “Certificates and secrets”
  • Choose “Upload certificate” and upload the generated certificate

 

 

Comments

1 comment

Date Votes
  • R&D
    • Edited

    Scoping/limited the permission

    Microsoft has released a new access policy, to restrict or deny access to a specific set of mailboxes by an application that uses APIs (Outlook REST, Microsoft Graph, or Exchange Web Services (EWS))

    With this new policy – you can limit the permission type on the scope of users/resources you dictate.

     

    For details on how to set “New-applicationaccesspolicy” please see https://docs.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchange-ps

     

    Example of use:

    The security group should ONLY contain the rooms used in Pronestor Display.

     

    Steps:

    • In admin.microsoft.com - Create a “mail enabled security group” ex. plannersecuritygroup@yourname.com (IMPORTANT not allowed :distribution groups, shared mailboxes, discovery mailboxes, dynamic distribution list)
    • Add the rooms to this new group
    • Using powershell run ex:

    New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "xx-yy-zz" -PolicyScopeGroupId plannersecuritygroup@yourname.com -Description "Restrict this app to specific rooms only"

     

     

    OBS!

    • When setting permissions in o365 – please be aware that it can take o365 some time to push these changes in to play.
    • Use the “Test-ApplicationAccessPolicy” to validate the access/permissions – to ensure that it covers the intended permission set.
    0

Please sign in to leave a comment.

Powered by Zendesk