Microsoft 365 admin account
About Condeco and the Microsoft 365 admin account
- A Microsoft 365 admin account is required if you have Exchange rooms.
- The Microsoft 365 admin account must grant consent for Condeco to use User.Read and Calendars.ReadWrite (see table below).
- It is a limitation of Exchange that the Microsoft 365 admin account can only grant consent for all calendars, however, the Microsoft 365 service account can be restricted to only read room calendars.
Permissions required
Clicking Accept to the Microsoft permissions popup during the onboard process grants the following access to the Condeco Token Provider application using Microsoft Graph:
| Permission Required | Description | Type | Reason |
|---|---|---|---|
| EWS.AccessAsUser.All | Access mailboxes as the signed-in user via Exchange Web Services | Application | This permission is required by the service account having impersonation rights to access mailboxes on behalf of a user. |
| Calendars.ReadWrite | Read and write calendars in all mailboxes. | Application | This permission is required to create room subscriptions to get notifications of changes in Exchange mailboxes. |
| User.Read | Sign in and read users profile. | Delegated | This permission is required to log in for AAD user. |
Currently, Microsoft does not provide separate permissions for user and room calendars so you must provide Condeco access to all calendars, however, Condeco will only subscribe to the room calendars that are mapped in Condeco.