EntraID/AzureAD Enterprise Application Integration (SSO/O365/SCIM/Calendar Integration)

If the users and/or resources are both available within EntraID/Azure AD it's highly recommended to include GoBright as an Enterprise Application. There are a few reasons to do this:

Why you should consider adding GoBright in EntraID/AzureAD

  • The application can be used to set up the Room Booking Integration
  • The application can be used to synchronize users from EntraID / Azure AD when SCIM User Provisioning is setup
  • Managing users who can log in to the GoBright platform with Microsoft Single Sign-On
  • No additional configuration or scripting is required

Using this enterprise application will easily set up a connection, including SSO, while still giving you control over who is allowed to use the application.

Step 1 Office365 Integration

Creating the Office 365 Application Mode Integration

When logged in the GoBright portal with the initial admin account, you can press the Four Squares on the top right corner and Select the Admin Center.

You need to go to Integrations, press the Add blue button on the top right.

Here you are presented with a couple of options that you can choose depending on the External System that you need to Integrate with GoBright.

In your case now, External System is Office 365, Authentication Type is Modern using the MS SSO and permission mode is Application Mode using an Enterprise Application.

Application Mode 1.png

You can already Link the O365 Tenant, which will give us a prompt to Sign In with a Microsoft Account.

For this you need to use a Global Admin Account of Azure/Entra ID.

Application Mode 2.png

When Signed In, another prompt will be triggered that will Request Permissions.

The permissions are for the GoBright SSO Application which will allow users to authenticate and sign in using their O365 accounts.

When accepted, the Enterprise Application will be created, and you will be brought back to GoBright portal with the Tenant status Linked.

Application Mode 3.png

When you are brought back to the O365 Integration in GoBright you can see that the SSO Tenant Link is linked, however it will also show two other Integrations that are not Linked.

Application Mode 4.png

 

Step 2 Room Booking Integration

The next step it's only applicable if you have Room Booking and want to integrate the Rooms with Office 365. Otherwise please skip Step 2 and go to Step 3 for User Synchronization.

1. Calendar and Teams Link Application Integration

If you are using Room Booking function in GoBright, you must Link the Calendar and Teams Integration as this will give you the ability to Integrate the Room Calendars with GoBright and to be able to automatically create Teams Meeting Links when you make a booking of a Room through the GoBright Portal.

Please double check and make sure that the room mailboxes you are trying to integrate are not hidden in the Global Address List on Exchange. This can cause validation errors, that the objects IDs are not available in the external system

When you press the link, a prompt will be triggered that will Request Permissions to create the GoBright Calendar Application Mode application.

Application Mode 5.png

When accepted, the Enterprise Application will be created and GoBright can communicate with the Room Calendars.

2. Connect to Office 365 with PowerShell (If you need to create the Room Mailboxes in O365)

Connecting to Office 365 with PowerShell is the easiest way to execute several configuration commands.

For connecting to Office 365 with MFA support, Microsoft provides the EXO V3 module, published through the PowerShell gallery, which can be installed with the following steps:

  1. Start PowerShell as Administrator

    The GoBright platform enforces communication using TLS 1.2. Depending on the system you use this might nog happen automatically. See the code below and implement this in every PowerShell script that communicates with GoBright.

    Also add the $ErrorActionPreference to make sure it stops the script whenever an error occurs. Please don't forget to add the lines below in each of your scripts. 

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 
    $ErrorActionPreference = "Stop"
  2. Install the PowerShell gallery PowerShell module:
    • Execute the following commands in PowerShell (running as administrator)
    • Install the NuGet PackageProvider:
      Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
    • Configure PowerShellGallery as a trusted source:
      Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
    • Install the PowerShellGet module:
      Import-Module -Name PowerShellGet
  3. Install the EXO V3 (ExchangeOnlineManagement) module:
    Install-Module -Name ExchangeOnlineManagement -Force

    The '-Force' command makes sure that the latest version of the module is installed even when a previous installation exists.

  4. Close the PowerShell session
  5. Start a new PowerShell session

Now we can use the installed EXO V3 module to connect to Office 365:

  1. Start PowerShell as Administrator (make sure this is a new PowerShell session)
  2. Start connecting by logging in, use an account with the required permissions to manage your Office 365 environment:
    Connect-ExchangeOnline -UserPrincipalName you@yourdomain.com -ShowProgress $true
  3. When logged in, we are ready to proceed with the further configuration!

 

3. Create the Room Calendars in Office 365 (If you need to create the Room Mailboxes in O365)

With the steps below, you’re able to create rooms in your Office 365 environment. This will publish the rooms in Office 365, and give a calendar for each room.

If you already have room calendars in your Office 365 environment, then proceed with the next step, but make sure you have the e-mail addresses of the rooms, because you will need them later on.

Execute the following commands via the PowerShell session.

Execute the following command, change the MicrosoftOnlineServicesID to the room email address you would like, and supply a correct Name, DisplayName, and Password for this room:

New-Mailbox -EnableRoomMailboxAccount $true -Room -MicrosoftOnlineServicesID room1@yourdomain.com -Name Room1 -DisplayName 'Room 1' -RoomMailboxPassword (ConvertTo-SecureString -String YourPasswordHere -AsPlainText -Force)

If needed you can set the Organizational Unit via the -OrganizationalUnit parameter. The example command above presumes the default Organizational Unit.

Execute this command for each room you would like to create.

4. Configure the user's default access to the Room Mailboxes

Now the access of the users to the room mailboxes should be configured.

Execute the following commands via the PowerShell session.

With the following command you set the default access for each room mailbox to ‘read only, with limited details’, this usually is best, so users cannot change directly in the room mailbox. Change the value of Identity to the email address of the room.

Set-MailboxFolderPermission -Identity room1@yourdomain.com:\Calendar -User Default -AccessRights LimitedDetails

Note: the folder name ‘Calendar’ is dependant to the culture settings of the room mailbox, so ‘Calendar’ also might be some translated value like ‘Agenda’. The command will fail with an error message if you’re using the wrong folder name.

Execute the following command to get the folder name (e.g. when the command above fails):

Get-MailboxFolderStatistics -Identity room1@yourdomain.com | Where-Object {$_.FolderType -eq "Calendar"} | Select Name,FolderType,Identity

5. Configure the behavior of the Room Mailboxes

The default behavior of a room mailbox changes the subject of the appointment and removes the private flag if it’s set. Via the following command, the room mailbox is configured to automatically process (accept/decline) meeting requests and keeps the data of the meeting in place.

Execute the following command via the PowerShell session.

Configure the behavior of the room mailbox, change the Identity parameter to the email address to the email address of the room:

Set-CalendarProcessing -Identity room1@yourdomain.com -AutomateProcessing AutoAccept -DeleteSubject $False -DeleteComments $False -AddOrganizerToSubject $False -RemovePrivateProperty $False

Execute this command for each room mailbox.

When needed, you can change this best-practice to get different behavior. The following parameters are the most important:

  • AutomateProcessing: AutoAccept will make the room mailbox process meetings automatically (accept/decline). It’s also possible to do this manually, via the value ‘None’ (more info), but this also means you will have to process cancellations manually.
  • DeleteSubject: By keeping the original subject, we’re able to show the subject in the portal, app, and displays. This is possible via the value $False. If you use the value $True, the subject will be deleted by the room mailbox.
  • DeleteComments: When DeleteComments is set to $True, the content of the comment in your calendar item will not be pushed to the GoBright portal and app. If set to $False, all content of your comment will be pushed to the GoBright portal and app. Keep in mind that only the first 500 characters will be shown due to a restriction of Microsoft.
  • AddOrganizerToSubject: The room mailbox is able to add the name of the organizer to the subject, but this can get confusing. By using the value $False this is disabled.
  • RemovePrivateProperty: The room mailbox removes the private property from the incoming meeting. By using the value $False, the meeting will keep its private flag.

For more details about Mailbox settings, read this Microsoft article.

6. Calendar Integration Permissions, Restrictions

By Default, the created Calendar Integration Enterprise Application comes with predefined permissions, from the start the application will have Read and Write Access over All Calendars in the tenant, not the mailboxes but only the calendars.

Application Mode 6.png

If you want to Restrict the application to have Calendar access only over the Calendars of the Room Mailboxes, this can be done with an Application Access Policy.

Application Access Restriction Policy

The Application Restriction Access Policy also affects how Room Bookings are created through the GoBright Portal:

  • When Unrestricted / Full Integration – User is the organizer of the meeting.
  • When Restricted / Restricted Integration – Room is the organizer of the meeting.

When Restricted policy is applied to the Rooms, the person who created the meeting won’t be the organizer and cannot see changes to the meeting directly to his inbox, instead all of the changes will go to the inbox of the Room as the Room will be the organizer of the meeting and the person will be only an attendee.

In order to create the policy, we need to create a Group that will contain all the Rooms we want to restrict the application to and then apply the policy to that group.

For this we are using PowerShell as a universal language, and it is faster and simpler than to explain it through the Exchange Online Admin Panel.

Steps to follow to apply the policy:

Start with connecting to Exchange Online Powershell:

  1. Start powershell as admin
  2. Connect-ExchangeOnline ShowProgress $true -UserPrincipalName admin@yourdomain.com

First you need to list the emailaddresses to use in the limit or exclusion.
This has to be a ‘mail-enabled security group’ in Exchange, which we will create one in the next
steps:

  1. First create the ‘mail-enabled security group’:
    New-DistributionGroup -Type Security -Name "GoBright Accesslist" -PrimarySmtpAddress GoBrightAccesslist@yourdomain.com
  2. Then add members, as follows:
    Add-DistributionGroupMember -Identity GoBrightAccesslist@yourdomain.com -Member room1@yourdomain.com
  3. And you can check the list of members as follows:
    Get-DistributionGroupMember -Identity GoBrightAccesslist@yourdomain.com
  4. More documentation here: https://learn.microsoft.com/enus/exchange/recipients/mail-enabled-security-groups?view=exchserver-2019
  5. You can also create and manage it from Exchange Admin Center

Application Mode 7.png

Now you can connect the ‘mail-enabled security group’ to work as a Restriction:

  1. New-ApplicationAccessPolicy -AppId 15a00ef4-864a-4704-a9c9-ed5f5cef70e6 -PolicyScopeGroupId GoBrightAccesslist@yourdomain.com -AccessRight RestrictAccess -Description "Restrict the GoBright platform access to members of GoBrightAccesslist@yourdomain.com."
  2. Now you can test the access to a specific calender with this command:
    Test-ApplicationAccessPolicy -Identity room1@yourdomain.com -AppId 15a00ef4-864a-4704-a9c9-ed5f5cef70e6

Important Notes:

  • The testing command will work directly, but the real access restrictions can take up to 90 minutes to become active.
  • The ApplicationAccessPolicy will not be deleted automatically if you delete the
    Enterprise Application.

Deleting an ApplicationAccessPolicy works like this:

  1. List the ApplicationAccessPolicies for GoBright:
    Get-ApplicationAccessPolicy | Where { $_.AppId -eq "15a00ef4-864a4704-a9c9-ed5f5cef70e6" } | Format-List
  2. Copy the ‘Identity’ (a very long string) of the ApplicationAccessPolicy you want to delete
  3. Then execute:
    Remove-ApplicationAccessPolicy -Identity "xxxxxxxxxxxxxxxxx"

 

 

Step 3 User Synchronization

Currently we have two methods for User Synchronization, the difference between the two methods is:

  • SCIM is being deployed as an Enterprise Application and requires little configuration to be setup and will provision users automatically every 40 minutes. SCIM will be the main tool for User Sync.
  • The PowerShell Scheduled Sync Script has to be setup and then to be scheduled to run periodically on a Server with Task Scheduler or with Azure Automation Runbook. Also, with the PowerShell script you can sync attributes for NFCId and PIN code if you have them configured in your Azure AD. PowerShell Sync will remain as supported method as well.

1. User Sync with EntraID/AzureAD SCIM User Provisioning

SCIM is a powerful tool that can provision assigned users to GoBright with a dedicated role, as well as manage, disable and delete them.

The Article on How to Configure SCIM can be found here.

 

2. User Sync with EntraID/AzureAD using PowerShell Scheduled Script

The Azure AD / Active Directory synchronization is capable of automatically creating, updating, and disabling users from Azure AD or Active Directory.

The Article on How to Configure the User Sync with PowerShell Scheduled Script can be found here.

 

Step 4 Add and Configure Rooms in GoBright

4.1 Configure Rooms

Follow the steps in this article to continue.

Step 5 GoBright Add-In/Plug-In Outlook/Teams

The Outlook Add-In and the Teams and Outlook GoBright Plug In can be found and deployed from the Microsoft Application Gallery which is available on the Integrated Apps section in Microsoft 365 Admin Center.

Application Mode 99.png

 

 

0 out of 0 found this helpful