Microsoft365.md

Microsoft 365 Calendar Integration

Step-by-step guide to connect thingdust with Microsoft 365 calendar data via the Microsoft Graph API.

---

Table of Contents

• Overview
• Prerequisites
• Step 1 — Register an Azure AD Application
• Step 2 — Configure API Permissions
• Step 3 — Update the App Manifest
• Step 4 — Create a Client Secret
• Step 5 — Send Credentials to thingdust
• Step 6 — Restrict Access to Room Calendars
• Sources

---

Overview

Calendar data in Outlook is managed and protected through Azure Active Directory (Azure AD). Access is granted via the Microsoft Graph API, specifically the Outlook Calendar API.

thingdust connects as a daemon application (service-to-service, no user interaction). This means:

• The Azure AD tenant must be of type "Accounts in this organizational directory only"
• Tenants of type any organizational directory or personal Microsoft account are not supported
• Authentication uses a client secret (certificate-based auth is also possible)

---

Prerequisites

Before you start, make sure you have:

• An active Microsoft Azure account with admin rights
• An Office 365 tenant actively used by your organisation
• Access to the Azure Active Directory admin center
• Access to Exchange Online PowerShell (for Step 6)

---

Step 1 — Register an Azure AD Application

1. Open the Azure Active Directory admin center and navigate to App registrations.

2. Click New registration and fill in the form:

   Field	Value
   Name	A descriptive name, e.g. Calendar API or thingdust Graph API
   Supported account types	Accounts in this organizational directory only
   Redirect URI	Leave empty (not required for daemon apps)

3. Click Register.

---

Step 2 — Configure API Permissions

1. Open your newly registered app and go to API permissions.

2. Click Add a permission → Microsoft Graph → Application permissions.

3. Search for and select Calendars.Read, then click Add permissions.

4. Click Grant admin consent for [your directory] and confirm.

5. Remove the default User.Read permission — it is not needed.

Your configured permissions should look like this:

API / Permission	Type	Admin Consent
Calendars.Read	Application	✅ Granted

Optional — Read all rooms automatically

If you want thingdust to automatically discover all rooms in your organisation, add Users.Read.All as an additional Application permission with admin consent.

If you prefer not to grant this, send thingdust the email addresses of the rooms you want to monitor instead.

---

Step 3 — Update the App Manifest

Because this is a daemon application, no user login is permitted — all access must be scoped at the application level. This is enforced via the app manifest.

1. In your app, click Manifest in the left menu.

2. Find the line:

   "appRoles": [],

3. Replace it with the following block:

   "appRoles": [
     {
       "allowedMemberTypes": [ "Application" ],
       "description": "Accesses the Calendar API as an application.",
       "displayName": "access_as_application",
       "id": "ccf784a6-fd0c-45f2-9c08-2f9d162a0628",
       "isEnabled": true,
       "lang": null,
       "origin": "Application",
       "value": "access_as_application"
     }
   ],

4. Click Save.

Important

• The id field must be a unique GUID. You can generate one at guidgenerator.com or use PowerShell: [guid]::NewGuid()
• displayName and value must not contain spaces

---

Step 4 — Create a Client Secret

1. In your app, navigate to Certificates & secrets.

2. Click + New client secret.

3. Set the expiry to Never (recommended to avoid manual renewal).

4. Click Add and immediately copy the secret value — it will only be shown once.

⚠️ Security note: Treat the client secret like a password. Store it securely (e.g. in a password manager or secrets vault) and never commit it to source control.

---

Step 5 — Send Credentials to thingdust

Once setup is complete, send the following three values to thingdust via a secure channel:

#	Value	Where to find it
1	Client Secret	Created in Step 4
2	Application (client) ID	App overview page
3	Directory (tenant) ID	App overview page

You can find the Application ID and Tenant ID on the Overview page of your registered application in the Azure portal.

---

Step 6 — Restrict Access to Room Calendars

To ensure the application can only access the calendars of designated rooms (and not all mailboxes in your organisation), create a mail-enabled security group and assign the app to it.

6.1 Create a mail-enabled security group

Create a new mail-enabled security group in Exchange and add all rooms the application should be allowed to access as members. See Manage mail-enabled security groups for guidance.

If a suitable group already exists, you can reuse it.

6.2 Assign the app to the group

Connect to Exchange Online PowerShell and run:

New-ApplicationAccessPolicy `
  -AppId "<Application-ID>" `
  -PolicyScopeGroupId "<group-email@your-domain.com>" `
  -AccessRight RestrictAccess `
  -Description "Restrict thingdust calendar access to room group"

Replace <Application-ID> with your Application (client) ID from Step 5, and <group-email@your-domain.com> with the email address of your security group.

6.3 Test the policy

Verify the policy is working by running:

Test-ApplicationAccessPolicy `
  -Identity "<user-without-access@your-domain.com>" `
  -AppId "<Application-ID>"

Use an account that should not have access. The output will indicate whether the app can reach that mailbox.

See Scoping application permissions to specific Exchange Online mailboxes for more details.

---

Sources

• App registration — Daemon App (accessed 03.05.2020)
• Code configuration — Daemon App (accessed 03.05.2020)
• Protected Web API (accessed 03.05.2020)
• Scoping application permissions to specific Exchange Online mailboxes

---

_{Maintained by thingdust ag · support@thingdust.com}