Skip to main content

 

Eptura Knowledge Center

Data access and security

Frequently asked questions about data access and security

  1. What additional information does Condeco store for Exchange Sync?

The Exchange Sync notification engine does not store any additional information.

Some information is stored in the logs for monitoring the health of the system and troubleshooting purposes.

  1. Why do we need daemon applications?

Microsoft 365 APIs utilize OAuth2 authorization. As part of the OAuth2 flow, an access token and refresh token is provided. These tokens are provided to the daemon applications (Token Provider and Notification) so that they can continue accessing the required data in the background.

  1. What is Azure AD application registration?

To access the required user information in Microsoft 365, applications must register against Azure AD to get an Application ID. This Application ID is then used by the Token Provider and Notification daemon applications.

  1. Why do we need full mailbox permissions?

The service account used to access the Exchange Web Service (EWS) is an account that can be given impersonation rights. However, with Microsoft 365 APIs and OAuth2, there is no concept of impersonation rights as the authentication works on application tokens. This means that to create the necessary appointments in the calendars, the daemon applications require full mailbox permissions.

  1. If the daemon applications have full access to all calendars, does it then access users’ calendars?

No, currently on Microsoft 365, there is no differentiation between room calendars and user calendars, however, the daemon applications only subscribe to room calendars so are not aware of the users’ calendars.

  1. Can an Azure AD administrator create a security group and add all the required rooms so that permission on all calendars in a tenant is not required?

Yes, by applying an Application Access Policy. An Application Access Policy can either restrict or deny Graph API access to members of a mail-enabled security group. Learn more about controlling access to calendars

  1. Why is Exchange Web Service (EWS) still required now Microsoft 365 APIs are being used?

Microsoft 365 APIs are being used only for notifications. All other actions are being done using EWS.

  1. How can access to the daemon applications be revoked?

An Azure AD administrator can revoke application permissions from the client’s Azure Management Portal.

  1. Is there any throttling policy set by Microsoft when using Microsoft 365 APIs or EWS?

There are no clear guidelines from Microsoft on this however this could affect the performance of the system.

 


Exchange Sync home