Howto13r2:Setting up Calendar with OAuth2: Difference between revisions
No edit summary |
No edit summary |
||
| Line 19: | Line 19: | ||
You will be redirected to the Azure Active Directory Overview: | You will be redirected to the Azure Active Directory Overview: | ||
[[Image: | [[Image:AD_Overview.png]] | ||
| Line 27: | Line 28: | ||
[[Image:AD_CreateAppRegistration.png]] | [[Image:AD_CreateAppRegistration.png]] | ||
Click on “Register”. You will be redirected to the overview page of your newly registered app. Copy the “Application (client) ID” (just click on the icon at the end of the ID) from this page and insert it to the Client ID field in the Calendar configuration. | Click on “Register”. You will be redirected to the overview page of your newly registered app. Copy the “Application (client) ID” (just click on the icon at the end of the ID) from this page and insert it to the Client ID field in the Calendar configuration. | ||
[[Image:AD_RegisteredAppOverview.png|1280px]] | |||
== Configure the client secret == | |||
The client secret is a security key you need to add, since it is mandatory for the OAuth2 authentication process used by the Calendar. To create one, click on “Certificates & Secrets” in the list on the left. Then click on “New client secret” under the “Client secrets” section: | |||
[[Image:AD_CreateClientSecret2.png]] | |||
The client secret will be randomly created by Azure, the only thing you may set is a description (which is optionally) and an expiration date. After clicking on “Add”, you should see the new client secret listed: | |||
[[Image:AD_CreateClientSecretDone.png]] | |||
Now copy the “Value” (again, simply click on the icon beside the Value) and insert that at the Calendar configuration in the field “Client secret”. Note that after a couple of minutes, the Value of the client secret will be grayed out by Azure and you can’t copy it anymore. If that happens, just delete the old, create a new one and copy the value. | |||
== Configure the permissions == | |||
There are two API permission to be set. The first one will be added by editing the manifest file (as described at the Microsoft documentation (https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth). | |||
Click on “Manifest” in the sidebar. Scroll down the Manifest-File until you see the “requiredResourceAccess” property and add the following block to it: | |||
{ | |||
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000", | |||
"resourceAccess": [ | |||
{ | |||
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40", | |||
"type": "Role" | |||
} | |||
] | |||
}, | |||
Click on “Save”. The manifest now should look like this: | |||
[[Image:AD_Manifest2.png]] | |||
(Note: If you want, you can replace the existing part with the one above. In that case, the above part must be added without the comma after the closing ‘}’ bracket. This will remove the Users.Read right, which isn’t used anyways (but it also won’t hurt, if the right still exist)). | |||
Click on API permissions on the right. Here you should find an entry called “Office 365 Exchange Online” with a sub item named “full_access_as_app”. | |||
[[Image:AD_APIPermissionsList2.png]] | |||
The next permission will be added by selecting it from a list. Click on “Add a permission”. In the following dialog click on “Microsoft Graph” and then on “Delegate permissions”. To make things easier, type “EWS” into the search field, open the entry and select “EWS.AccessAsUser.All”: | |||
[[Image:AD_APIPermissions_EWS.png]] | |||
Click on “Add permission” to close the dialog. You should now have at least “full_access_as_app” and “EWS.AccessAsUser.All” in the list of permission: | |||
[[Image:AD_APIPermissionsList.png]] | |||
However, the status column will show no or a “Not granted” entry. This can be simply resolved by clicking on “Grant admin consent for …”. Answer the upcoming dialog box with “Yes” and the status column should show “Granted…” for every permission: | |||
[[Image:AD_APIPermissions_AdminCosentGranted2.png]] | |||
Revision as of 14:20, 19 October 2021
How-to setup the Calendar for OAut2
This tutorial shows you, how to setup an Azure Active Directory App to let the calendar work with Microsoft 365 and OAuth2. Please note, that this is not a complete administration guide. Instead, it is a simply step-by-step tutorial which should work but maybe not the most accurate administration of your Azure AD – it’s just the way how we managed to use it. It is highly recommended to ask your Azure Administrator for details and / or read the Microsoft documentation. It is expected, that you have an Exchange user with the Application Impersonation right. More information about how to assign this role to a user can be find in the Microsoft documentation.
Note: The screenshot and labels may change because of updates done by Microsoft. The following steps had been made with the version with the Azure portal from August 2021. Note also that the images are scaled. If you need a sharper image, just click on it to see it in full size
Preparation
During the creation of an app, you need some information provided by the configuration of the Calendar and also add some information given by Azure. Because of that it is recommended to open the PBX Manager / AP Calendar in myApps (click on Configure and select “Cloud (Exchange Online)” as Sync Type) and the Azure Portal in your browser at the same time. You also have to login to the Azure Portal with an admin user to be able to add an application registration as well as to configure it.
If you get stuck or you need additional information, or if you are unsure if the way describe here is the best solution for your company, be free to use all the documentation and help links Microsoft provides in the Azure portal.
Registering the Calendar app to the Azure Active Directory
Create an App registration inside the Azure Active Directory
Open the azure portal (portal.azure.com) and Select “Manage Azure Active Directory” or click on one of the “Azure Active Directory” links.
You will be redirected to the Azure Active Directory Overview:
Click on “+ Add” and select “App registration” (alternatively click on “App Registration” on the side bar and add an App registration by clicking on “New registration”). Set a name for the registration (e. G. innovaphone Calendar) and select the supported account type. This should be either “Accounts in this organizational directory only (YourCompanyName only - Single tenant)” (which is recommended) or “Accounts in any organizational directory (YourCompanyName - Multitenant)”.
If you go with the single tenant, you have to select “My organization only” in as “Selected account types” for the Calendar configuration. If you select multitenant, “Multiple organizations” have to be configured. Before registering the app, a redirect URI must be set. Select Web from the dropdown list and enter the URI, which you will get from the “Redirect URI” line of the PBX Manager / Calendar Configuration.
Click on “Register”. You will be redirected to the overview page of your newly registered app. Copy the “Application (client) ID” (just click on the icon at the end of the ID) from this page and insert it to the Client ID field in the Calendar configuration.
Configure the client secret
The client secret is a security key you need to add, since it is mandatory for the OAuth2 authentication process used by the Calendar. To create one, click on “Certificates & Secrets” in the list on the left. Then click on “New client secret” under the “Client secrets” section:
The client secret will be randomly created by Azure, the only thing you may set is a description (which is optionally) and an expiration date. After clicking on “Add”, you should see the new client secret listed:
Now copy the “Value” (again, simply click on the icon beside the Value) and insert that at the Calendar configuration in the field “Client secret”. Note that after a couple of minutes, the Value of the client secret will be grayed out by Azure and you can’t copy it anymore. If that happens, just delete the old, create a new one and copy the value.
Configure the permissions
There are two API permission to be set. The first one will be added by editing the manifest file (as described at the Microsoft documentation (https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth). Click on “Manifest” in the sidebar. Scroll down the Manifest-File until you see the “requiredResourceAccess” property and add the following block to it:
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
}
]
},
Click on “Save”. The manifest now should look like this:
(Note: If you want, you can replace the existing part with the one above. In that case, the above part must be added without the comma after the closing ‘}’ bracket. This will remove the Users.Read right, which isn’t used anyways (but it also won’t hurt, if the right still exist)).
Click on API permissions on the right. Here you should find an entry called “Office 365 Exchange Online” with a sub item named “full_access_as_app”.
The next permission will be added by selecting it from a list. Click on “Add a permission”. In the following dialog click on “Microsoft Graph” and then on “Delegate permissions”. To make things easier, type “EWS” into the search field, open the entry and select “EWS.AccessAsUser.All”:
Click on “Add permission” to close the dialog. You should now have at least “full_access_as_app” and “EWS.AccessAsUser.All” in the list of permission:
However, the status column will show no or a “Not granted” entry. This can be simply resolved by clicking on “Grant admin consent for …”. Answer the upcoming dialog box with “Yes” and the status column should show “Granted…” for every permission:
