Skip to main content

 

Eptura Knowledge Center

Introduction to OAuth authentication for meeting room screens

  1. Last updated
  2. Save as PDF

Introduction

OAuth authentication for Condeco meeting room screens using the Microsoft 365 calendar service is recommended for Microsoft Exchange online customers.

OAuth authentication is an open-standard authorization protocol or framework that allows applications to authenticate with each other. It provides greater security than Basic Authentication as user credentials and passwords are not passed between applications. OAuth authentication relies on the exchange of security tokens, which grant access to a specific set of resources for a specific amount of time.

NTLM or Basic/Negotiate authentication should only be used for Exchange on-premise environments.

About this guide

This guide explains how to configure OAuth for your Microsoft 365 calendar service in Condeco and enable OAuth for your meeting room screens, either using the Condeco Device Hub or directly on the meeting room screen.

Good to know

  • Since an Exchange Calendar Service may include rooms from several different Microsoft 365 accounts, the Condeco Tenant Administrator must grant consent for all Microsoft 365 accounts that manage Condeco rooms.
  • The consent accepted when enabling OAuth is only for meeting room screens and not any other applications in use.
  • The Azure service principal is not stored in Calendar Settings. This protects from having to change every tenant in the event of the service principal changing.
  • Switching from OAuth to Basic authentication is not supported. When a room or screen has been authenticated to OAuth it cannot be moved back to Basic authentication.

Technical information

Prerequisites

  • Microsoft Exchange online.
  • The Microsoft 365 calendar URL and email address.
  • All meeting room screens must be running version 8.3.3 or above.

Technical diagram

remote-oauth-high-level-design-2.png

Limitations

  • OAuth authentication is not supported for on-premise Exchange/NTLM.
  • Switching from OAuth to Basic authentication is not supported. When a room or screen has been authenticated to OAuth it cannot be moved back to Basic authentication.
  • Bulk OAuth authentication is not supported.
  • If a screen is inactive for more than 90 days (approx.) without connectivity, it will need to be re-authenticated.

FAQ

Does a screen need to be authenticated again if deactivated and reactivated?

Yes. Learn how to authenticate a meeting room screen for OAuth

Does OAuth authentication support on-premise Exchange?

No. On-premise Exchange environments must use NTLM or Basic/Negotiate authentication.

What access is agreed to during the meeting room screen authentication process?

When you accept the Microsoft permissions request during the meeting room screen authentication process, you consent for access to the room mailboxes as the signed-in user via Exchange Web Services (EWS), and for Graph API to sign in and read the room user profile.

microsoftteams-image-8.png
User consent granted for OAuth authentication

Learn more about providing consent for Microsoft 365 accounts at Microsoft https://docs.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide

What is the lifetime of the access token?

Unless otherwise configured by the AD admin, the default lifetime of the access token is 3599 seconds.

What happens when the token expires?

When the access token has expired and the screen attempts an operation with Exchange, it will receive the 401 (not authorized) error. A new token is fetched and the operation completed.

What happens if the service account is deleted, locked or the password changed/expired?

All screens using the service account must re-authenticate. Learn how to authenticate a meeting room screen for OAuth

What happens if the email address of the Exchange room changes?

All screens will show as unauthenticated in the Device Hub. Learn how to authenticate a meeting room screen for OAuth to apply the new email address.

Can OAuth authentication be performed in bulk?

No, unfortunately, bulk authentication is not possible.

What happens if an incorrect mailbox is entered during the authentication process?

Authentication will fail and the portal displays the error ‘The last authentication attempt failed due to access token received of different resource’.