Global admin requirements

If you are setting up UMA for the first time, you might question why the setup process mandates a Global Admin to authenticate, particularly if you're accustomed to using delegate access to manually share permissions among accounts.

We are delighted to provide an explanation and always appreciate the chance to demonstrate our security procedures.

Prior to proceeding, we suggest reading Microsoft's introduction to Azure app setup.

To synchronise calendars, UMA must install an integrated Azure AD app on your Office 365 account.

It is only possible for a Global Admin to install integrated Azure apps in Office 365. This is a beneficial security measure that safeguards against users granting apps access to sensitive parts of your configuration.

Please refer to the full explanation on Azure App Installations provided by Microsoft for more information

What is the purpose of this installed application?

UMA utilises this application to oversee room calendars and track the users involved in meetings for each respective room. You may have similar services installed in a similar fashion, and you can review the current list of installed applications by visiting

Frequent questions

Why can't I simply share access to the room calendars?

UMA's scheduling tools primarily focus on room calendars, but there are cases where we need to make adjustments to meetings for users. In these situations, the room calendar is just one of several calendars that require updates.

For example:

John schedules a 60-minute meeting in his calendar and invites the conference room. The meeting ends 30 minutes early. John leaves the room, and UMA detects this. UMA adjusts John's calendar event to end at the current time, which then updates everyone's schedules (including the conference room).

By modifying the organiser's event instead of just the copy associated with the room, all invitees receive the updates. This ensures that John's calendar accurately reflects his availability for colleagues. A similar situation arises when canceling a meeting due to no-shows and wanting to clear everyone's schedules.

UMA handles event bookings (such as room displays, web, and mobile apps) on your behalf, with the booking user automatically set as the organiser, providing the necessary permissions. If UMA is unable to edit the organiser's event, it will update the room calendar's version instead.

Opting for the delegate approach would lead to a situation where new employees need to share their personal calendars with the delegate and keep that list updated to prevent issues like "I deleted this event, why is it still on my calendar if the room is free?"

As UMA continues to enhance its user-to-room and user-to-user scheduling tools, this permission becomes increasingly vital for efficient scheduling and to avoid complicated workflows for your users.

Why does it ask for full access to all mailboxes?

With the use of OAuth, we install the connector app securely onto your Office 365 account. For Office 365/EWS, Microsoft mandates that all OAuth apps request this permission, for reasons unknown to us. However, UMA does not use this permission. Once installed, the UMA app can solely engage with your calendars.

if you cannot connect to O365 through OAuth there's considerable concern with security compromises via apps that allow you to sign in via Basic authentication. For this reason, we only support OAuth authentication at this time.

Why do you need global admin privileges just to manage room calendars?

We do not require the global admin account to manage calendars once the app is installed. To provide an extreme example: You could create a new Global Admin account, use it to install the UMA app, and subsequently delete the account, and UMA would continue to function properly because the app is already operational.

When the app is installed, UMA does not acquire the privileges of a Global Administrator in your organisation. This is comparable to creating a new user mailbox as the Global Admin, which does not transfer power to the user account, merely because an administrator is needed to complete the set-up phase.

Last updated