/
Graph API & OAuth 2.0 Configuration for Office 365

Graph API & OAuth 2.0 Configuration for Office 365

Owned by Elliot Dooleysmith
Last updated: Sept 09, 2022
6 min read

This guide covers how to configure ResourceXpress to use OAuth 2.0 to connect with Office 365.

Pre-requisites & Limitations

If using ResourceXpress v2021.5 HF2 or earlier versions, Exchange Impersonation for all resource mailboxes is mandatory for the service account(s).

Please see the Microsoft Office 365 configuration guide for instructions to configure Impersonation.

An Exchange service account with mailbox impersonation rights is not required for ResourceXpress v2021.6 and later versions.

ResourceXpress Settings

To configure OAuth in ResourceXpress first sign into the admin console, using the navigation menu across the top select Administration Settings then System Settings, the OAuth options can be found under the Resource Server tab.

If using a Hybrid Licence ensure Exchange is selected in the Booking System dropdown.

These settings can also be applied to individual Resource Profiles or Location-based System Settings.

For individual profiles follow this same procedure but fill in the options found under the Connection Properties tab found in the profile settings.

For Location-based Systems follow this procedure filling in the settings by location found under the Locations tab in System Settings.

The Server Host Name will need to be set to https://graph.microsoft.com/v1.0.

Select Yes for Use Graph API

OAuth is required when using Microsoft Graph API

The Resource Login User ID is the service account email address that has impersonation rights to all room mailboxes. A service account is not required and can be left blank when using ResourceXpress v2021.6 or later.

Follow the steps below in a new tab/browser window to get get the OAuth Tenant ID, Client ID and Client Secret.

Register an Azure Active Directory App

Navigate to https://portal.azure.com, from here select Azure Active Directory.

From the left-side menu choose App registrations then click New registration.

In the Register an application window enter a name for your application.
Select the Supported account types and click the Register button.

Add API Permissions

Select API Permissions under Manage, found on the left menu.

By default the Microsoft Graph User.Read permission is added automatically.
ResourceXpress does not require this permission, so this can be removed.

Calendars.ReadWrite permission required

Click the Add a permission button from the API permissions window.

From the Select an API window choose the Microsoft Graph tab.

The below permissions will grant Read and Write access to all calendar mailboxes in the tenant. To restrict the permissions to a sub-set of mailboxes please complete the steps in this guide and then review our additional guide Restrict the Scope of API Permissions. to specify the scope of mailboxes that can be accessed.

Select Application permissions and choose the Calendars.ReadWrite option and click Add permissions.

Next, click Grant admin consent and then Accept from the confirmation dialogue box.

Make sure that admin consent has been granted to the Calendars.ReadWrite permission, this may require the page to be refreshed.

Mail.Send permission optional

Required to use OAuth for SMTP

If you are using an Application Access Policy the SMTP account will need to be included within the Security Group.
Alternatively, a new App registration will need to be configured granting the SMTP account access.
For more information on configuring this please contact helpdesk@qedas.com.

Click the Add a permission button from the API permissions window.

From the Select an API window choose the Microsoft Graph tab.

Select Application permissions and choose the Mail.Send option and click Add permissions.

Next, click Grant admin consent and then Accept from the confirmation dialogue box.

Make sure that admin consent has been granted to the Mail.Send permission, this may require the page to be refreshed.

Users.Read.All & Group.Read.All permission optional

Required to use Azure AD User Sync
User Settings

If you are using an Application Access Policy all users to be synced with RX will need to be included within the Security Group.
Alternatively, a new App registration will need to be configured which includes these users.
For more information on configuring this please contact helpdesk@qedas.com.

Click the Add a permission button from the API permissions window.

From the Select an API window choose the Microsoft Graph tab.

Select Application permissions and check the box for the User.Read.All and Group.Read.All options and click Add permissions.

Next, click Grant admin consent and then Accept from the confirmation dialogue box.

Make sure that admin consent has been granted to the permissions, this may require the page to be refreshed.

 

Generate the Client Secret

Select Certificates & secrets from the left menu found under Manage.

Then click New client secret.
Enter a Description and select the option for Expiry.

We recommend choosing Never, as this will avoid the need to update this regularly.

Click Add.

This is the only time the client secret will be visible.
Another key will need to be created if this is lost or expires.

Click the Copy to clipboard option for this client secret, return the ResourceXpress Admin Console tab and paste this value into the OAuth Client Secret field.

Getting the Client & Tenant ID’s

Return to the Azure Portal, select Overview from the left menu.

From here copy the Application (client) ID and Directory (tenant) ID and paste these into the relevant fields in the ResourceXpress Admin Console.

Once all three values have been added into ResourceXpress click Save.

The Azure Portal page can now be closed.

ResourceXpress On-Prem

If using ResourceXpress On-Prem then a modification will need to be made to the web.config file to allow Microsoft Graph API to work.

This can be found in the root directory for the ResourceXpress installation.
By default this is C:\\inetpub\wwwroot\

Using your preferred editor, add the below link into the web.config file.

<add key="GraphApiOAuthParameters" value="grant_type=client_credentials&amp;client_id=$$clientId$$&amp;client_secret=$$clientSecret$$&amp;scope=https://graph.microsoft.com/.default"/>

This line can also be copied from the web-sample.config file.

After making the modification, save this file and restart the IIS application pool.

Related content

The following macros are not currently supported in the footer:
  • style