Prerequisites: Administrator access to Azure and Office 365.
You must have administrative rights on the Azure Active Directory platform and on the organisation’s Office 365 instance in order to complete all steps.
Key benefits:
- Automatic calendar synchronisation — Makes it easier to manage meetings and resources from Rise Up.
- Security and compliance — Modern OAuth authentication and the ability to limit access to targeted mailboxes.
- Optimal user experience — Simplified room bookings and event creation for all staff.
Creating and configuring the application on Azure
This step lets you register the application required for Outlook synchronisation directly in Azure Active Directory.
-
Go to Azure App Registration: Sign in at https://portal.azure.com/, then search for “App Registration”.
-
New registration: Click “New registration”, choose “Single tenant” and enter the following redirect URL:
https://login.microsoftonline.com/common/oauth2/nativeclient -
Once the application is created, you will land on this page:
-
Create the secret: In “Certificates & Secrets”, create a secret (max 2 years). Keep its value safe; you will use it in Rise Up.
-
Add API permissions: Add the “full_access_as_app” permissions for Office 365 Exchange Online.
Validate with “Grant admin consent”.
Basic authentication with EWS is no longer supported on Office 365 and it is necessary to use a more recent authentication method called OAuth. We use the full_access_as_app permission among the permissions required for OAuth authentication with EWS (see [this link](https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth) for information on application‑only authentication).
-
At this stage, your application should look like this:
The two permissions are now added, but you must grant “Admin consent”.
- To do this, click “Grant admin consent for your organisation”.
The Azure part is now complete. Your application is ready for use.
Creating the service account and assigning licences
To ensure the connection between Rise Up and Outlook, an Office 365 service account with a mailbox must be created and assigned an Exchange licence (E3 Developer, Apps for business, Business Standard, etc.).
-
Create a user: Go to portal.office.com, once signed in click the “Admin” button then select the “Active users” tab.
-
Assign an Exchange licence: Select a licence that provides access to a mailbox.
-
Impersonation protocol: This account will be used via the impersonation protocol to allow the application to create meetings in the different calendars required.
- This user will only be used by the application via the Office Exchange Online impersonation protocol.As we use an Application Service, it is necessary to use the impersonation protocol to grant our service account access rights to the mailbox to create meetings in its calendar or in rooms it can access. You can consult the documentation here: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
Configuration in Rise Up
Before you start
- Have created the Azure application and the service account with an Exchange licence.
- Have noted the Tenant ID, Client ID and Secret ID generated previously.
-
Access synchronisation:
In Rise Up, go to Settings > Calendar synchronisation. -
Fill in the fields:
Enter: Tenant ID, Client ID, Secret ID, Service Account (email of the created account). -
Test the configuration:
Click “Test configuration”. If everything is correct, the message “Configuration is correct” is displayed. -
[Optional] Room management:
If you use rooms, create a Room List via Exchange PowerShell:New-DistributionGroup -Name "Rise Up Rooms" -RoomList Add-DistributionGroupMember -Identity "Rise Up Rooms" -Member [NomSalle]Enter the Room List address in Rise Up.
-
Validation:
Synchronisation is operational; your users can book rooms and events from Rise Up.
Useful notes:
If configuration fails, check the IDs, the validity of the secret and the permissions granted in Azure.
Limiting access rights and security
By default, the application can access all Exchange Online mailboxes. To restrict this access to a specific group, use an application access policy and a mail-enabled security group.
Comparison: Full access vs Restricted access
| Feature | Full access | Restricted access |
|---|---|---|
| Security | Low | Enhanced |
| Configuration | Simple | Requires a policy and a security group |
| Use case | Small organisation | Organisation with segregation needs |
-
Issue: Error message when testing configuration.
Solution: Check the validity of the credentials and the application’s permissions in Azure.
Issue: Unable to book a room.
Solution: Check the configuration and that rooms have been correctly added to the Room List.
Issue: Access to mailboxes is too broad.
Solution: Apply an access policy as described above.
-
Which permissions are required for the Azure application?
- The “full_access_as_app” permissions on Office 365 Exchange Online.
Can access be limited to certain mailboxes?
- Yes, via Application Access Policies.
Which licences are compatible for the service account?
- Any licence that includes an Exchange mailbox (E3, Business Standard, etc.). - For further assistance, submit a request:
Rise Up support request