Enterprise Connect for Office 365 and Exchange
Follow the steps in this process to create an account with the correct permissions to connect your calendar service to the software provider. This connection process is hosted by Cronofy and it allows the Cronofy calendar sync engine to access to your calendar service and, in turn broker that access out to your software provider.
THe following diagram describes the system boundaries.
The Service Account is used to control access over Boundary B.
Step 1: Create a Service Account #
Firstly, create a new Service Account to use with Enterprise Connect. Help on how to do that, can be found in our guide to creating a Service Account. The Service Account will be used to impersonate rooms or users when managing events.
Step 2: Configure the Service Account #
There are three levels of access to an end-user’s Mailibox that can be applied to a Service Account.
Note: In order to list resources, the Service Account must have a mailbox associated with it.
Full access is configured by granting the
ApplicationImpersonation role to the Service Account created in Step 1. This role allows the account to access a subset of users and/or the entire organization as desired. Help on how to do that, can be found in our guide on configuring
This still requires the Service Account be granted the
ApplicationImpersonation role but that access is limited to specified folders in an end-user’s Mailbox.
Typically with Cronofy, this would be limited to Calendar folders only, thus explicitly preventing access to email data.
Whilst Cronofy doesn’t access any folders other than Calendar folders in a Mailbox, this gives confidence that Cronofy can’t access any other folders.
More information in our guide to controlling Mailbox permissions.
Granting the Service Account
-AccessRights permission on Mailboxes will ensure that only Free-busy data is available to Cronofy across Boundary B.
Using this level of access will prevent the Integrator’s application from creating events directly into end-user’s calendars. You should check with the Integrator that their application is able to operate with this level of access before configuring in this way.
More information in our guide to Free-busy Only Access.
Step 3: Test your credentials #
Next, we’d recommend you test your Service Account using the Microsoft Remote Connectivity Analyzer. You’ll need the credentials for the Service Account created in Step 1, as well as the email address of a user or resource mailbox configured for impersonation. If you don’t have Autodiscover configured for your domain then you will also need the public Exchange Server URL.
More details can be found about testing in our help article Testing Enterprise Connect configuration for Office 365 and Exchange
Step 4: Authorizing access #
This corresponds to Boundary A in the above diagram.
Your software provider will provide you with a button or link to follow to connect your calendars with their service.
After selecting Office 365 or Exchange you will see a screen similar to this.
This will verify the Service Account credentials and use them to impersonate the user associated with the Impersonation email. Once complete you will be redirected back to your software vendor’s application and they will be able to synchronize your user/resource calendars.
In This Section
- A guide explaining how Exchange should be set up, before you integrate with Cronofy
- A guide explaining how to configure the `ApplicationImpersonation` role on Service Accounts in Exchange
- A guide to providing access to specific mailbox folders to provide stricter access contols to ensure email folders are not accessible.
- Limiting access to corporate calendars to just free-busy information with Enterprise Connect.
- Follow this documentation to restrict members that a Service Account can impersonate, using Distribution Groups.
- How to configure room lists to allow resources to be accessed.
- Configuring Office 365 mailbox auditing.
- The Microsoft Remote Connectivity Analyzer provides a set of tools to test connectivity setup for a range of Microsoft servers and services. This includes the tests to confirm that the credentials and connectivity required for Enterprise Connect are correct and available.