OAuth Authentication using Device Flow
Evoko Home Setup for Office 365 using OAuth.
oAuth Setup process for Office 365
To use oAuth with EWS for Office 365, You have to register a custom application in Azure Active Directory for Office 365 tenant and gather some information.
Follow this document to gather following information for setup wizard.
Office 365 Service Account
This is email of a mailbox which is used to impersonate when calling EWS with oAuth authentication.
It is recommended that you create a mailbox dedicated for this purpose.
Prepare Service Account
Follow Booking system preparation guide for Office 365.
Note! Add service account to the impersonated rooms list!
Find Tenant ID/Name for your Office 365 Tenant in Azure Active Directory
Tenant name can also be used instead of the guide. When you signed up for Office 365, Microsoft generated a unique tenant name for your tenant. It is in the form of “<customer id>.onmicrosoft.com”. You can also find this in “Domains” section under “Setup” in the Office 365 Admin Portal. There will be only one domain with suffix “onmicrosoft.com”.
Find Tenant ID
- Login to Office 365 Admin Portal and open Azure AD Admin Portal by clicking “Azure Active Directory” under Admin Centers (click “Show All” to show Admin Centers if menu hidden). This will open Azure Active Directory admin center Dashboard.
You can also visit this dashboard by URL: https://aad.portal.azure.com
- Click Azure Active Directory in left panel and click “Properties” under “Manage” section.
Make a note of “Directory ID”, in this example: 5024441e-8554-4dbf-9a00-d90e298448e8. This is “Office 365 Azure AD Tenant ID”
Register App for use with oAuth in EWS
- In Azure AD portal, click on “App Registrations” to open App Registrations blade.
- Click on New Registration button. Fill name and redirect URI and click Register.
- Once application is created, you can see detail page. Make note of “Application (client) ID” value.
- Click on “Authentication”. Scroll down and enable “Treat application as public client” by selecting “Yes”. Make sure that “Access Token” and “ID Tokens” are not selected.
- Go to “API permissions” setting.
- Click “Add a permission” button, scroll down and select “Exchange”.
- In the permission selection page, select “Delegated Permission”, It will open the list of permissions for Delegated access. Expand “EWS” and select “EWS.AccessAsUser.All”. Click Add permission button.
- You should now see the application permission.
Login using OAuth in the Wizard:
Select “Modern (OAuth)” in the Credential page.
Once you fill the information, click “Connect”.
Login to Service Account
Wizard will wait for you to log on using URL and provided code. Make sure to login with service account created for this purpose, if you sign in with other account it will succeed in the authentication but the application will not work.
Login at Microsoft Azure
- On the provided URL, enter the code from the wizard then click "Next".
- Notice the application name you configured for this.
- Once you sign in using service account credential, it will prompt for the consent dialog. This happens only for first login to this application, subsequent login remembers the consent.
- Review the dialog and click "Accept".
- You should now see the following screen which informs you to safely close this window.
- Switch back to the Evoko Home Setup Wizard and continue to the next step.