Whitepaper Discover how AI is already adding concrete value today. Read our whitepaper icons
Contact us
English
Contact us

DUTCH

Nederlands
Office 365 integration

explore articles

Search
list Category view

Office 365 integration

Link Copied

Published on Jan 15, 2026

Configuration & Management

Office 365 Integration

The integration between Gfacility and Office 365 is established via a 2-legged approach using an app registration in Microsoft Entra ID (formerly Azure Active Directory). Once the app registration is created, we use the application ID and client secret to configure the connection.

How does the 2-legged approach work?

In the 2-legged approach, the application (Gfacility) authenticates itself using its own identity to access Office 365 resources. No separate authentication or pop-up is required for the end user. This is more secure and stable, as it minimizes the number of parties involved in the authentication process.

1. Create an app registration in the Azure Portal

It is highly recommended to create a specific app registration for Gfacility. This ensures the integration is independent of other applications and provides optimal control and security.

  1. Log in to the Azure Portal and navigate to App registrations.
  2. Click + New registration and enter a name.
  3. Select the appropriate supported account type (e.g., Accounts in this organizational directory only).
  4. You can leave the Redirect URI blank.
  5. Click Register. Note down the Application (client) ID and the Directory (tenant) ID from the overview page.
  6. In the left menu under Manage, click Certificates & secrets.
  7. Click + New client secret, enter a description, and choose an expiration date.
  8. Click Add.
⚠️

Important regarding the Client Secret

  • Immediately copy and save the Value of the client secret. This will never be fully displayed again.
  • Note the expiration date in your own records, so you can provide us with a new secret before the connection expires.

2. Assigning API permissions

Now that the app is registered, we need to assign Microsoft Graph permissions. The required permissions depend on the modules you are using.

1

Go to your newly created App registration and click API permissions.

2

Click + Add a permission and choose Microsoft Graph.

3

Choose Application permissions (or Delegated, depending on the requirement) and add the permissions below.

👥 User integration

For automated creation and login of users.

  • Application permission: User.Read.All
  • Delegated permission: User.Read

🏢 Places (Locations)

For automated synchronization of locations/meeting rooms.

  • Application permission: Place.Read.All

📅 Outlook Events

For calendar synchronization (required for scheduling, analytics, or room display functions).

  • Application permission: Calendars.Read
  • Application permission: Calendars.ReadWrite
4

Finally (important!), click the ✅ Grant admin consent for [Your Tenant] button to activate the permissions.

How does the Places integration work?

This integration provides seamless one-way synchronization (from Outlook to Gfacility). Whenever a reservable room is created or modified in Outlook, Gfacility updates this automatically.

  • Synchronized data: Name, Code, Capacity, Link to Outlook Room, and Parent location.
  • Parent locations (such as Building and Floor) are created fully automatically in Gfacility if they do not exist yet.

3. Restrict access via Exchange Online RBAC (Optional)

By default, Application permissions have access to all mailboxes and calendars within the tenant. For organizations with multiple entities in a single tenant (multi-tenant) or strict security requirements, you can restrict this scope so that Gfacility can only read the selected mailboxes.

Does NOT work: Microsoft Entra ID Groups

A common mistake is trying to restrict access using “User assignment required” on the Enterprise App in Entra ID. This ONLY works for user-based (delegated) access and not for application permissions (app-only). Furthermore, if you granted the Calendar permissions in Entra ID (Step 2), this scope will be completely ignored. To restrict app-only access, you must use Exchange Online Application RBAC without granting the permission in Entra ID.

Step-by-step Implementation (PowerShell)

A. Connect and create Service Principal

Important: Use the Application ID and Object ID of the Enterprise Application, not the App Registration!

Connect-ExchangeOnline

New-ServicePrincipal `
  -AppId "<Application ID>" `
  -ObjectId "<Enterprise App Object ID>" `
  -DisplayName "Gfacility Application RBAC"

B. Define Management Scope

Choose the desired filter: based on a domain (useful if the tenant is clean), or based on a mail-enabled group (regular security groups do not work).

# Option 1: Based on domain (Automatically puts new users in scope)
New-ManagementScope `
  -Name "Gfacility-DomainScope" `
  -RecipientRestrictionFilter "PrimarySmtpAddress -like '*@contoso.com'"

# Option 2: Based on a mail-enabled group (Full control / Multi-tenant)
$Group = Get-DistributionGroup "Gfacility Scope"
New-ManagementScope `
  -Name "Gfacility-GroupScope" `
  -RecipientRestrictionFilter "MemberOfGroup -eq '$($Group.DistinguishedName)'"

C. Assign Role Assignment and Verify

# 1. Assign the scope to the app
New-ManagementRoleAssignment `
  -Name "Gfacility-Calendars-Scoped" `
  -Role "Application Calendars.Read" `
  -App "<Application ID>" `
  -CustomResourceScope "Gfacility-DomainScope"

# 2. Verify the settings
Get-ManagementRoleAssignment -App "<Application ID>" | Format-List Name,Role,CustomResourceScope

# 3. Test access to a specific mailbox
Test-ServicePrincipalAuthorization -Identity "<Service Principal ID>" -Resource "[email protected]"
📚

Official Documentation: Read the full Microsoft guide on Application RBAC in Exchange Online.

4. Provide the details to your Gfacility administrator

To complete the setup in Gfacility, we need the following information from your Azure portal:

  • The Application (client) ID
  • The Directory (tenant) ID
  • The Value of the generated client secret

Note: Always share these sensitive details via a secure, agreed-upon method (such as a secure password manager link) and never just via email.

Integration Frequency

👥

Users

Synchronizes once a night to create new accounts.

🏢

Locations (Places)

Synchronizes once a night to update rooms.

📅

Outlook Events

Updated in real-time, ideal for room reservations and displays.