# Organizational Accounts

> **DESIGN**

Cronofy allows the connection of an organization’s Calendar, Conferencing and Directory Services in order to support its scheduling service. This document gives an overview of the roles and permissions required.

Notably Calendar Services can be connected in one of three modes to match the compliance requirements of your organization.

# Calendar Organization Accounts
Calendar Organization Accounts can be configured using one of three different access modes.

- Read Write

- Free/Busy

- No Access

The mode chosen affects the access Cronofy has to the organization’s calendar service. This will in turn affect the approach taken to creating calendar events in response to bookings.

Multiple calendar services can be connected to one Cronofy Organizational Unit. Allowing companies that operate different calendar domains, even if they are from different service providers, to be operated under one Cronofy account.

## Read Write
This access mode enables a fully native calendaring experience. Events are created directly in users’s calendars on their behalf. They are the organizer of the event and any attendee invitations are sent from the organizer’s email account.

This mode also enables native conferencing support. Similarly to event invitations, by acting on behalf of the user, Teams and Meet conferencing links are generated as a native part of the event using the organizing user’s conferencing account.

This mode also allows the inviting of meeting rooms and other resources to calendar events.

### Google Workplace Scopes
The following scopes are required as part of the authorization process.

```
email
profile
https://www.googleapis.com/auth/calendar```
### Microsoft Graph Scopes
The following scopes are required as part of the authorization process.

```
openid
email
Calendars.ReadWrite.All```
## Free/Busy
The Free/Busy access mode allows Cronofy to see whether a user is marked as free or busy in their calendar when determining which slots to offer. This information is updated in real-time meaning that the availability functionality of Cronofy is essentially the same as for the Read Write access mode.

Where this mode differs is how calendar invites are managed. This mode doesn’t allow Cronofy to create events directly in a user’s calendar, the organizer. Instead Cronofy will send an email to the organizer and all attendees with an attached calendar invite. This invitation will act like a native calendar invite and thus will automatically be added as pending acceptance into the organizer’s and the attendees’ calendars. Attendee acceptance status will be reported back to Cronofy and the organizer’s calendar.

The email address used to send the invitation can be configured to match a customer’s domain.

This mode also changes how video conferencing links are generated. Without the ability to create events directly into a user’s calendar, we lose the ability to create native conferencing links. Instead a separate conferencing service authorization will be required. See [Conferencing Integrations](#conferencing-integrations).

This mode also prevents inviting meeting rooms and resources to events. Generally meeting rooms only respond to invitations from internal mailboxes.

### Google Workplace Scopes
The following scopes are required as part of the authorisation process.

```
email
profile
https://www.googleapis.com/auth/calendar.calendarlist.readonly
https://www.googleapis.com/auth/calendar.events.freebusy```
### Microsoft Graph Scopes
Microsoft Graph does not currently offer a Calendar Free/Busy scope. Following the principle of least permission we request `Calendars.ReadBasic`. This gives access to the title of an event and the attendees list but not the body or any attachments.

**Cronofy only synchronizes Free/Busy information**, ie the start and end times along with whether the period is to be considered free or busy.

The following scopes are required as part of the authorization process.

```
openid
email
Calendars.ReadBasic.All```
## No Access
The No Access mode is for organizations with compliance requirements that prevent any access to their calendar services. This prevents Cronofy from having access to any information about a user’s availability outside of events that have been created through Cronofy. This means that users will need to manage their Availability solely in their Cronofy preferences.

Cronofy will still consider events created through Cronofy when assessing a user’s availability.

This mode doesn’t allow Cronofy to create events directly in a user’s calendar, the organizer. Instead Cronofy will send an email to the organizer and all attendees with an attached calendar invite. This invitation will act like a native calendar invite and thus will automatically be added as pending acceptance into the organizer’s and the attendees’ calendars. Attendee acceptance status will be reported back to the Cronofy and the organizer’s calendar.

The email address used to send the invitation can be configured to match a customer’s domain.

This mode also changes how video conferencing links are generated. Without the ability to create events directly into a user’s calendar, we lose the ability to create native conferencing links. Instead a separate conferencing service authorization will be required. See [Conferencing Integrations](#conferencing-integrations).

This mode also prevents inviting meeting rooms and resources to events. Generally meeting rooms only respond to invitations from internal mailboxes.

### Identity Verification
Another key area where this mode differs is there needs to be a method by which Cronofy verifies the identity of the organizer. With Read Write and Free/Busy modes, this verification is inherent in the authorization to the calendar account. Without access to a calendar account, another method is required.

This is generally provided by a Directory Service, see [Directory Organization Accounts](#directory-organization-accounts) though can be achieved through confirmation links sent to email addresses to confirm ownership.

### Google Workplace Scopes
None - no access required

### Microsoft Graph Scopes
None - no access required

# Directory Organization Accounts
In order to automate user onboarding and offboarding it is possible to connect to a Directory Service. This gives Cronofy the ability to ensure that every user returned by the service has a corresponding Cronofy Account.

Microsoft and Google both provide directory services. Also, Integrations like SAP SuccessFactors will provide a directory like service that can be used to control user access to Cronofy.

### Google Workplace Scopes
The following scopes are required as part of the authorization process.

```
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly```
### Microsoft Graph Scopes
The following scopes are required as part of the authorization process.

```
User.Read.All
Organization.Read.All
Place.Read.All```
# Conferencing Integrations
Where the Read Write Calendar Access Mode is used, Microsoft Teams and Google Meet meetings can be added to calendar events using the organizer’s account. Without a Read Write calendar service connection a separate conferencing integration is required.

This is also the case with other conferencing services not linked to calendar services like Zoom or Webex.

Cronofy uses the email address associated with conferencing accounts to link to a corresponding calendar account.

### Google Meet Scopes
The following scopes are required as part of the authorization process.

```
https://www.googleapis.com/auth/meetings.space.created
https://www.googleapis.com/auth/meetings.space.readonly
https://www.googleapis.com/auth/meetings.space.settings```
### Microsoft Teams Scopes
The following scopes are required as part of the authorization process.

```
OnlineMeetings.ReadWrite.All```
### Webex Scopes
The following scopes are required as part of the authorization process

```
spark:kms
meeting:admin_schedule_write
spark:people_read```
### Zoom Scopes
The following scopes are required as part of the authorization process

```
meeting:write:admin
user:read:admin```


---
[Read in HTML](/calendar-admins/organizational-accounts/)