Assign account permissions
The first step is to assign the service account permissions to allow Envoy Rooms access to Outlook calendars. The required permissions are presented somewhat differently in the Entra views. By granting your service account admin permissions, the Envoy Rooms service will be able to access a subset of those permissions to communicate with your calendar.
These are the admin roles that grant the proper permissions to Envoy Rooms:
The service account needs these corresponding permissions to be able to access the calendars as Rooms. Per Microsoft, only Admin roles can delegate access to the Places.Read.All
scope, so your service account needs to be an admin to grant Envoy Rooms this scope.
In addition to Places.Read.All
scope, Envoy rooms needs Calendar.ReadWrite.Shared
and offline_access
.
Envoy Rooms does not have access to any scopes beyond those explicitly outlined during configuration, and the app itself will not have full admin permissions.
Configuration:
Open up the Microsoft Entra admin portal as a Global Administrator: https://entra.microsoft.com/
Open the Entra service page, then navigate to the Users > All Users page.
From the Users panel select the new service account. You’ll be using an existing user in your O365 tenant.
In the Assigned roles view, add the following assignments - note it typically takes a few seconds for an assigned attribute to appear as set:
Cloud Application Administrator
Application Administrator
Privileged Role Administrator
Global Administrator
Delegate access to the service account
Navigate to Exchange in the admin center (you might need to click Show all to see Exchange)
Find the room to be managed by Envoy Rooms and click the room to edit the resource
Click Edit under "Read and Manage (Full Access)"
Add the service account to Full Access by clicking "Add members"
Setting up Envoy Rooms on the Dashboard
Please make sure you log in as the service account before connecting the calendar to Envoy.
Delegate Access can take up to 2 days to propagate on Microsoft Exchange
Permissions we ask for when using this method: