Office 365 Integration

Integrations · Authentication · 1.2

The integration between Gfacility and Office 365 uses a 2-legged approach with an app registration in Microsoft Entra ID (formerly Azure Active Directory). The Gfacility app authenticates with its own identity — no separate pop-up or consent for each user, so it’s more stable and more secure.

1. Create an app registration in the Azure Portal

Create a dedicated app registration for Gfacility — independent of other applications, with better control and security.

Step	What to do
1	Sign in to the Azure Portal → App registrations.
2	Click + New registration and enter a name.
3	Choose the appropriate account type (e.g. Accounts in this organizational directory only).
4	Redirect URI can be left blank.
5	Click Register. Note the Application (client) ID and Directory (tenant) ID.
6	Go to Certificates & secrets.
7	Click + New client secret, add a description and an expiry date.
8	Click Add.

2. Assign API permissions

In the app registration, go to API permissions → + Add a permission → Microsoft Graph. Add per use case:

User integration

For automatic provisioning and sign-in of users.

Application: User.Read.All
Delegated: User.Read

Places / Locations

Automatic sync of meeting rooms from Outlook.

Application: Place.Read.All

Outlook Events

For scheduling, analytics and room display.

Application: Calendars.Read
Application: Calendars.ReadWrite

Shared calendars

Access to shared mailboxes.

Delegated: Calendars.Read.Shared
Delegated: Calendars.ReadWrite.Shared

Finally, click Grant admin consent for [Tenant] — otherwise the permissions remain pending.

How does the Places integration work?

A one-way sync from Outlook to Gfacility. On every change to a bookable room Gfacility updates: Name, Code, Capacity, Link to Outlook Room, Parent location. Parent locations (Building, Floor) are created automatically if they do not exist yet.

3. Restrict access via Exchange Online RBAC (optional)

By default, Application permissions have access to all mailboxes and calendars in the tenant. For multi-tenant or strict security scenarios you can scope this.

Step-by-step implementation (PowerShell)

A. Connect and create the Service Principal — use the Application ID and Object ID of the Enterprise Application, not the App Registration:

Connect-ExchangeOnline

New-ServicePrincipal `
  -AppId "<Application ID>" `
  -ObjectId "<Enterprise App Object ID>" `
  -DisplayName "Gfacility Application RBAC"

B. Define a Management Scope — based on a domain or a mail-enabled group (regular security groups do not work):

# Option 1: Based on domain (new users automatically in scope)
New-ManagementScope `
  -Name "Gfacility-DomainScope" `
  -RecipientRestrictionFilter "PrimarySmtpAddress -like '*@contoso.com'"

# Option 2: Based on a mail-enabled group (multi-tenant / full control)
$Group = Get-DistributionGroup "Gfacility Scope"
New-ManagementScope `
  -Name "Gfacility-GroupScope" `
  -RecipientRestrictionFilter "MemberOfGroup -eq '$($Group.DistinguishedName)'"

C. Assign and test the Role Assignment:

# 1. Assign the scope to the app
New-ManagementRoleAssignment `
  -Name "Gfacility-Calendars-Scoped" `
  -Role "Application Calendars.Read" `
  -App "<Application ID>" `
  -CustomResourceScope "Gfacility-DomainScope"

# 2. Verify settings
Get-ManagementRoleAssignment -App "<Application ID>" | Format-List Name,Role,CustomResourceScope

# 3. Test access to a specific mailbox
Test-ServicePrincipalAuthorization -Identity "<Service Principal ID>" -Resource "[email protected]"

To finalise the setup we need:

Application (client) ID
Directory (tenant) ID
Value of the client secret

Share these sensitive details through a secure method (a password-manager link), never loose in an email.

Sync frequency

Users

Once per night — new accounts are created automatically.

Locations (Places)

Once per night — rooms are kept up to date.