Moving from Basic Auth login to Office 365 OAuth login
- The permissions required to connect and use EWS with OAuth from Azure AD are ‘Sign in and read user profile’ and ‘Access mailboxes as the signed-in user via Exchange Web Services.
- Your Teem instance needs a minor modification before these steps can be followed. The change tells Teem to use OAuth for your Office 365 instance instead of basic auth. If you doubt this is being done already, do not hesitate to contact support or your customer success manager.
Oauth2.0, the standard behind Modern Auth, is a long-established industry standard for token-based authentication. That does not change the fact that questions are often raised about security whenever data is accessed. Here are some critical points to Office 365 and Modern Auth.
Teem follows industry and Microsoft standards.
Teem rigidly follows industry standards for Oauth2.0 implementation and Microsoft Documentation on their specific requirements. By ensuring our product follows these best practices, we can provide the best product security.
Permissions requested are Microsoft-suggested permissions.
Teem continues to use Exchange Web Services, as it offers the most functionality when working with calendar data. Teem uses one of Microsoft’s two prescribed EWS permissions. ‘Access mailboxes as the signed-in user via Exchange Web Services are provided by Microsoft to allow the account being used to access room resources mailboxes. To clarify, this permission does not automatically grant permission to impersonate or access every user’s folder. The service account must still be explicitly granted permission to perform these actions.
Information that Teem receives and its storage
When using Oauth2.0 Teem never receives any information about the service account in use. Not even the email is given to Teem. Teem specifically receives token information used to authenticate, and stores that information encrypted within its database. In addition, these access tokens are short-lived, only lasting 60 minutes, and must be refreshed by a limited life refresh token. Teem uses this refresh token to ensure that the service account continues to function.
How to disable Modern Auth
Microsoft provides two choices for this. The first is to change the password for the account being used. Any change in the password invalidates the token set that Teem uses and stops the connection. Please note, if the password is changed but Teem should continue to use the account, it is easy to re-authorize within the Teem web portal. The second option is by signing into Microsoft with the service account and explicitly denying those permissions.
Initial Setup Steps
Please follow the Create a user account for Teem to access the Office365 server, Create or locate room resources to interface with Teem, and Permission the Teem user account to control these room resources found in our Office 365 Integration help article. Please keep in mind the second prerequisite when creating the user account.
Connect Office 365 to your Teem account
It is suggested that you do these steps from an incognito (or private) browser instance to make sure that you are NOT logged into Office 365.
1. Sign in to your Teem account.
2. Go to the Manage section in the left menu and select Calendars.
3. Look to the upper left corner and click the + button.
Caution: Please note the next step.
4. Select Office 365 OAuth
4.1. If the Office 365 option is listed WITHOUT the OAuth option, please contact Customer Support.
5. After you choose Office 365 Oauth, you will be directed to a select page. Here you will have the choice to either Add an Account or Grant Administrator Consent. Please select `Add Office 365 Account`. The `Grant Administrator Consent` option is optional and not required.
6. Once on the Office 365 account select or login screen, you can select or log into the correct Office 365 service account that will be used to access room calendars. You will be asked to accept the permissions required.[JP1]
7. You will be sent from Office 365 to Teem. At this point, Teem has saved the OAuth credentials and is ready to begin to interact with calendars.
8. Once the account is added, the user can add the Teem calendar to Outlook 365. To do this, you will press the Import Calendars button within the calendars section and provide a comma-separated list of all calendars that you wish to import to Teem. Alternatively, you can enter calendars to sync via a CSV file.
9. (Optional) Select Account Settings and rename the account. By default, Teem names the account Office 365 account, because we do not have any other account details. This name is simply to help you identify the right account. You can change this name to anything that you wish.
10. You can now assign calendars to rooms within Teem as desired. You should not need to re-authenticate this account any further.
With these steps completed your Office 365 and Teem connection will use OAuth for permissions rather than Basic Authentication.
How to Contact Support
Customer Support for help with Teem can be found by clicking here.