Skip to main content

Microsoft Integrations

Microsoft Exchange Online

💡
Microsoft Exchange Cloud Version: The Microsoft Exchange On Premise has no Graph API support, therefore we can only support Microsoft Exchange Online Cloud Versions.

Introduction

The Microsoft Graph Integration allows you to synchronize your Microsoft Exchange resource calendars with Flexopus for managing meeting rooms. This synchronization is bidirectional and occurs in real time using the Microsoft Graph API.

  • Reservations made in Microsoft Outlook will be visible in Flexopus.
  • Reservations created in Flexopus will be reflected in Microsoft Exchange, ensuring seamless integration between both systems.
💡
Note: Flexopus is a tool for managing objects and not for managing appointments. Our goal is not to replace the reservation flow of Outlook. The goal is to offer additional functionality for the meeting room management.

Once the Microsoft Graph Integration is configured in Flexopus, you can enable the following features:

  1. Create reservations using a meeting room digital signage display.
  2. Smart analytics for the usage of meeting rooms.
  3. Room search with office plans integrated as an add-in within Outlook.
  4. Catering service – coming soon.

These features enhance the functionality and management of meeting rooms within your organization.


How are the bookings synchronized “bidirectionally”?

Flexopus manages the reservations for resources like meeting rooms. However, details such as the event name, invitees, and event description are part of the associated event, not the resource reservation itself. A resource reservation in Flexopus includes only the reservation time and date, while event management remains with Microsoft Outlook.

Once the interface is configured, users will have the following booking options:

  1. Reserve meeting rooms through Flexopus.
  2. See reservations reflected in Microsoft Outlook.
  3. Manage event details directly in Microsoft Outlook.

Flexopus focuses on simplifying meeting room reservations.


Direction: Microsoft → Flexopus

Reservation Flow from Microsoft Outlook to Flexopus:

Communication flow Flexopus to Microsoft
  • New Reservation in Microsoft Outlook
    Users can create a new meeting room reservation in Outlook as usual. Once created, Microsoft sends the reservation to Flexopus via the Microsoft Graph API (ideally in real time). The reservation will then appear on Flexopus's Live-Plan, allowing other users to see who booked the room and when. All appointment types are supported, including single and recurring appointments.
  • Edit Reservation in Microsoft Outlook
    Any changes made to the reservation in Outlook (e.g., moving an appointment, selecting a different meeting room, or inviting multiple rooms) are synchronized to Flexopus via the Graph API. These updates will be reflected in Flexopus.
  • Canceling a Reservation in Microsoft Outlook
    When a reservation is canceled, users can either cancel the entire event or just “uninvite” the meeting room in Outlook. Both scenarios are supported and synchronized in real time with Flexopus.
💡
Note: A reservation made in Microsoft Outlook by a user or mailbox that does not exist in the Flexopus user database will be displayed as 'anonymous reservation' in Flexopus. A user injection this way is not possible.

Direction: Flexopus → Microsoft

Reservation Flow from Flexopus to Microsoft Outlook:

Communication flow Microsoft to Flexopus
  • Edit or delete reservation in Flexopus
    The reservations are shown in Flexopus. Editing or deleting a synchronized reservation is currently possible through Microsoft Outlook.
    A cancellation can be made through Outlook as well as via Flexopus.
  • New reservation in Flexopus
    A new resource reservation can be made in Flexopus through the usual reservation workflow, or it can be made through a meeting room signage display. Each reservation needs to be accepted by Microsoft Exchange Online, since Microsoft is the “single source of truth” in this constellation; therefore, double reservations are not possible. After a successful reservation, the reservation initiated through Flexopus will be displayed in the Outlook calendar of the respective user. The calendar entry will be created by Microsoft. The user can edit the booking in the Outlook calendar as usual.
    Since Flexopus does not yet manage the usual attributes (appointment name, participants, description and video call) of an event. We recommend this booking option mainly for spontaneous ad hoc bookings if a user needs a meeting room at short notice, still these attributes can be edited later directly in the Outlook calendar.
💡
Note! In case the Microsoft Exchange Online integration is active, the meeting rooms are blocked until you connect the room with a valid Exchange mail address.
Microsoft Outlook appointment page with the linked Flexopus object

Setup Instruction Manual

To activate the Microsoft Exchange Online integration, follow the instruction below.


STEP 1 - Authorize Flexopus

To configure the Microsoft Graph integration in Flexopus:

  1. Navigate to the Flexopus admin panel.
  2. Go to Dashboard > Settings > Integrations.

If the integration module is enabled, you'll see it on this page. If you do not see the setting, contact support@flexopus.com for assistance.

Microsoft Exchange Integration

To connect Flexopus with Microsoft:

  1. Click the Connect button on the Integrations page.
  2. Ensure you are an admin of your Microsoft Organization.
  3. After verifying, click the Connect and Authorize button to proceed.

This will enable the integration between Flexopus and Microsoft services.

💡
ATTENTION! If you activate the integration, the existing meeting room reservations in the Flexopus database will be deleted. Then the bookings are imported from Microsoft 365 after a successful connection.

An authorization page will open in Microsoft with the requested permissions to read data via the Microsoft Exchange interface:

Grant permissions for Flexopus
Permission Display name Description Link
User.Read
(delegated)
Sign-in and read user profile Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. link
Organization.Read.All
(application)
Read organization information Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding informatio link
Calendars.ReadWrite
(application)
Read and write calendars in all mailboxes Allows the app to create, read, update, and delete events of all calendars without a signed-in user. link

After you have accepted the permissions, the status of the integration is displayed:

Successful connection

Furthermore, Microsoft will automatically create a new enterprise application in your Active Directory with the Flexopus Exchange Integration name here.

Flexopus Exchange Integration App
💡
Note: Even, if you configured SAML2 for the Single Sign On and SCIM for the user and group provisioning before with an enterprise application, this application will be created separately. The two application can not be fused into one.

After setting up the integration, open the application and navigate to the Permissions tab. Here, you will be able to see the granted permissions that have been authorized for Flexopus. This allows you to review and manage the access permissions given during the integration process.

List of granted permissions

STEP 2 - (optional) Create access policy

By granting Flexopus the Calendars.ReadWrite delegated application permission rights, Flexopus can access all personal and resource mailboxes of your organization.

Resource mailboxes
The mailboxes of the meeting rooms need to be accessed for an oblivious reason. The goal is to synchronize the reservations from Microsoft Exchange to Flexopus. To do so, we need to have access to the meeting room resource mailboxes.

Personal mailboxes
To create a reservation via Flexopus we need to have access to users' personal calendar as well.

Communication flow

Some customers wish to limit the access, since the application is only used by a part of the whole organization. To limit the application access to specific mailboxes, you can create a so-called application access policy via PowerShell. You can create a security group for it and add it to the access policy. You have 2 ways to add a security group to an access policy:

  • DenyAccess: This way, the access of the assigned calendars of the assigned security groups will be denied for the application.
  • Restrict access: This way, the access of the assigned calendars of the assigned security groups will be allowed for the application.

To configure the application access policy, you will need

  • a security group, and
  • you will need to assign the security group to the application in the Microsoft PowerShell.

The easiest way to create a security groups is to go to the Azure Active Directory and to create it manually:

Create security group
Assign rooms and user to the security group

However, you can also create the group with the PowerShell using the following command and manage the group from there:

New-DistributionGroup -Name "Enter the name of new security group" -Alias "Enter the Alias" -Type security

As next login into the PowerShell with a user who is entitled to manage the security groups, the application permissions. There is no user interface provided by Microsoft to do this step. Follow the steps. Add the security group to the application to create an access policy:

New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "Enter Token Provider AD App ID" -PolicyScopeGroupId "Enter Email Enabled Security Group Mailbox ID" -Description "Restricted Access Group Policy"

For more information, contact your IT administrators or read the corresponding articles of Microsoft:

New-ApplicationAccessPolicy (ExchangePowerShell)
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they’re not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet. You can create a limited number of policies in your organization based on a fixed amount of space. If your organization runs out of space for these policies, you’ll see the error: “The total size of App Access Policies exceeded the limit.” To maximize the number of policies and reduce the amount of space that’s consumed by the policies, set a one space character description for the policy. This method will allow approximately 300 policies (versus a previous limit of 100 policies). While scope-based resource access like Mail.Read or Calendar.Read is effective to ensure that the application can only read email or events within a mailbox and not do anything else, application access policies allow admins to enforce limits that are based on a list of mailboxes. For example, apps developed for one country/region shouldn’t have access to data from other countries/regions. Or, or a CRM integration application should only access calendars in the Sales organization and no other departments. Every API request using the Outlook REST APIs or Microsoft Graph APIs to a target mailbox done by an application is verified using the following rules (in the same order): If there are multiple application access policies for the same Application and Target Mailbox pair, DenyAccess policy is prioritized over a RestrictAccess policy. If a DenyAccess policy exists for the Application and Target Mailbox, then the app’s access request is denied (even if there exists a RestrictAccess policy). If there are any RestrictAccess policies that match the Application and Target Mailbox, then the app is granted access. If there are any Restrict policies for the Application, and the Target Mailbox is not a member of those policies, then application is denied access to the target mailbox. If none of the above conditions are met, then the application is granted access to the requested target mailbox.

STEP 3 - Connect mailboxes with Flexopus

Once the integration is active, you need to connect the meeting rooms one by one. Go to the Exchange Online Admin Panel and copy the Microsoft resource email address.

To link a meeting room to Microsoft Exchange in Flexopus:

  1. Go to the Flexopus location editor.
  2. Select the meeting room you want to link.
  3. Paste the Microsoft Exchange Resource email address into the External connection email address field.

This will connect the meeting room with Microsoft Exchange for synchronization.

Connect external calendar
💡
Attention: All future existing bookings inside Flexopus for the selected object will be deleted. Bookings from Microsoft are imported after a successful connection.
💡
Note: The name of the meeting room in Flexopus is initially synchronized with the resource name of the linked email address.

After saving, Flexopus will try to connect the meeting room to the resource calendar. Wait about 10 seconds and then refresh the page. If the email address is valid, a verified tick should be visible directly below the email address. If the validation is successful, then Fleoxpus will synchronize the reservation. This may take a few seconds.

💡
Note: The Microsoft Exchange Resource email address input field is located under the Extension tab. Be careful not to confuse it with the Notify email address field.

After connecting the object, you can see the changes in the integration overview:

Overview of connected objects

After the connection is established, you don't need to click on the manual synchronization button, the process will be trigger automatically. Still, you can request a reservation synchronization for all connected objects manually at any time.

External users

Users outside your Active Directory can book the meeting rooms through Flexopus or through the meeting room signage displays as well, if they have access to the room booking in Flexopus.


Book as external user

By default, users of your Active Directory can book the meeting room resources in their personal Outlook Calendar or via the Flexopus application. Most probably they manage the meeting room bookings in their Outlook Calendar. This is also the preferred way, if applicable.

In case a user initiates a booking through Flexopus the following process will happen:

  1. The application sends a booking request to Microsoft via the Graph API.
  2. Microsoft checks if the user is a valid user in the Active Directory
  3. The room availability will be checked.
  4. The booking will be created in the user's personal calendar.
  5. The booking will be created in the resource calendar, linked to the event that is created in the personal calendar.
Booking process flow
💡
Note: If a user from your Active Directory initiates a booking in Flexopus for a connected meeting room, the process works the same as if the booking were made through Outlook Calendar. The booking will be synchronized across both platforms seamlessly.

For Flexopus to execute the booking flow, it requires access to both the personal calendar of the user and the resource calendar of the meeting room.

However, if the user does not exist in your organization's Active Directory, Flexopus will not be able to access the personal calendar. In this case, Flexopus will still proceed to book the resource calendar of the meeting room, but there will be no event entry in the user’s non-existing personal calendar.

This scenario typically occurs when external users are granted booking rights in Flexopus. They can still book the meeting room, but will need to manually create the event invitation in their personal calendar.

💡
Note! Users of another Active Directory (other than your organization's directory) are considered as external users.

Book on a display

The meeting room displays for digital signage can also be used for booking a meeting room resource on site.

Meeting room signage display
Meeting room signage display
Learn how to set up digital door signs with Flexopus to display room availability, schedules, and enable ad-hoc bookings.

In this scenario, users can book a meeting room ad-hoc onsite without logging into the application. Flexopus will use a system user to book the resource calendar of the meeting room in Microsoft.

Since the meeting is not associated with an authenticated user, it can only be deleted or edited through the digital signage display or by an administrator in the Flexopus admin dashboard.

Booking process for a display

Allow resource booking declination

Since external users cannot access the resource booking in their personal calendar, they need the ability to create and delete reservations. By default, deletion of bookings is disabled. Optionally, you can allow owners of a booking and administrators to delete bookings of objects linked to Outlook Calendar.

Deleting a booking in Flexopus will only reject the booking in the resource calendar, without affecting the organizer’s personal appointment. The booking will also be deleted from Flexopus.

To enable this feature:

  1. Navigate in Flexopus as an administrator to Dashboard > Settings > Integrations > Microsoft Exchange Integration.
  2. Enable the resource booking declination option.
💡
Note: If you allow external users to book your meeting rooms, this option shall be activated, otherwise the external users are not able to delete the created meeting room bookings.

How can I deactivate the interface?

To disconnect Flexopus from Microsoft:

  1. Click the Disconnect button. This will stop Flexopus from receiving updates from Microsoft.
  2. All externally managed bookings will be deleted from Flexopus.
  3. You can also manually delete the automatically created enterprise application in your Azure Active Directory.

This will fully disconnect the integration between Flexopus and Microsoft.

Trouble Shooting / FAQ

{"code"}:"ErrorAccessDenied","message":"Access to OData is disabled: [RAPO] : Blocked by tenant configuration AppOn...

If you encounter an error message in the reservation workflow, it is likely that access to the necessary permissions for the Flexopus integration is being blocked. This may be due to custom policies configured in PowerShell.

Flexopus requires access to both the personal calendar of the user and the resource calendar to create meeting bookings.

To resolve this, ensure that you have granted Flexopus the required access rights for these calendars.

What are resource mailboxes, and how are they configured?

Here is the Microsoft documentation on setting up resource mailboxes: https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-resource-mailboxes

Can I connect my On Premise Microsoft Exchange Version?

Unfortunately, Microsoft does not provide the Graph API for the on-premise version of Exchange, so Flexopus cannot directly connect with on-premise instances. However, there are alternative ways to connect to an on-premise instance.

That said, it is uncertain how long Microsoft will continue to support these alternative methods for synchronizing on-premise resources. Currently, Flexopus is actively evaluating the possibilities for supporting on-premise setups.

Can I connect multiple Exchange Online accounts?

No, it's not possible currently.