UMA provides an easy and secure way to get connected to your Microsoft 365 tenant using OAuth2.0 and OpenID Connect.

You must first provide UMA with your Microsoft Azure Tenant ID.

Shown below is the authentication process that UMA uses using OAuth2.0 and Open ID connect:

For more information on OAuth and OpenID Connect, follow the documentation below:

Full permissions

This is UMA's preferred method of interacting with Microsoft Graph API as the level of access provides a more feature rich solution for end users.

The full permissions are documented as follows:

Lite permissions

Lite permissions should only be used for where profile photo and group user sync is not required.

The lite permissions are documented as follows:

In Microsoft 365, by default, the meeting room display panel will show the meeting organiser rather than the meeting subject. It will also display the subject and organiser of private meetings.

To change this setting for each resource you will need to connect to PowerShell using multi-factor authentication as explained in the guide here.

To correctly display the meeting subject on the meeting room display panel you will need to run the below PowerShell command for each resource.

Get-MailBox –Identity <resourceemail> | Set-CalendarProcessing -AddOrganizerToSubject $false -DeleteSubject $false -DeleteComments $false

Alongside the above, if you want private meetings to not display the subject or organiser then run the following command instead and this will take care of both.

Get-MailBox –Identity <resourceemail> | Set-CalendarProcessing -AddOrganizerToSubject $false -DeleteSubject $false -DeleteComments $false -RemovePrivateProperty $false

Getting Started

User sync provides administrators with the ability to control and manage all UMA users from within Microsoft 365.

Users can be assigned to a specific group in Microsoft 365 which matches their role in UMA. For more information on roles click here.

To get started, create groups in Microsoft 365 with the following names:

• UMA Admin

• UMA Advanced Manager

• UMA Manager

• UMA Hidden User

• UMA User

Then assign users as members to each group based on the role required.

Next, navigate to 'Company Settings' in UMA and under 'User Settings' toggle on 'User Sync' and hit 'Save' at the bottom of the page.

The initial sync is completed immediately and if the above steps have been completed successfully you should see all your users in the 'Manage' -> 'Users' section within a few minutes.

User Management

After user sync has been turned on and successfully synced it will now check for any changes periodically and replicate in UMA.

If you add or remove a member from an Microsoft 365 group it will automatically sync with UMA periodically.

If you remove a member from a group they will be made 'inactive' and won't be able to login to UMA.

This guide will lead you through a typical app authorisation procedure as a Global Administrator and provide an overview of how Enterprise Apps function with Azure AD, including prevalent security misconceptions. After that, we'll authorise a service account and establish a successful connection with UMA.

This explainer is for those who are struggling with the question of how to enable users to sign into UMA Vision using Office 365, while also ensuring that not everyone can authenticate with any application on the internet.

Service principal and application objects

When you first authorise the UMA app, it creates a new Service Principal object in your Azure directory. This Service Principal represents your specific installation of the UMA app, which you can directly manage. The Application object of UMA is maintained by us and enables us to update and maintain the application for all our clients in one place.

To better understand, consider the Service Principal as a specific version of the software that is installed, and the Application as the latest version available. In the event that the Application is updated, such as adding or removing features or permissions, you can choose to reauthorise the latest version to update the Service Principal as required. However, this is an extremely rare occurrence and not essential for running UMA.

Adding new applications in Office 365

Only global administrators can:

Add apps from the Azure AD app gallery (pre-integrated 3rd Party Apps)Publish an app using the Azure AD Application Proxy

During sign-up/in users are asked to give permission to the app to access their profile and other permissions. The first person to give consent causes a service principal representing the app to be added to the directory.

Once you’ve added the application to your directory, the Global Administrator role is no longer necessary to manage the settings.

Enabling “Users can consent to apps accessing company data on their behalf” will allow regular users assigned to the app to sign into existing service principals. It does not grant users the right to create new service principals (i.e. other applications you haven’t approved). Adding new applications is managed by the “Users can add gallery apps to their Access Panel” option instead, which can remain disabled as seen below

To enhance security and control over UMA's access to Microsoft 365, we allow organisations to limit access to specific users and resources.

This setup is optional, and UMA will function as expected without changes if the existing authorisation process has been applied.

We only access data configured by you via our admin portal, including users, room calendars and security groups.

Create a mail enabled security group

Login to Microsoft 365 and create a mail enabled security group.

Add resources and mailboxes

Add all users and resources intended for use in UMA.

Connect with PowerShell

Launch PowerShell and connect using modern authentication:

Connect-ExchangeOnline -UserPrincipalName {Microsoft 365 admin email address}

Apply application access policy

Apply the application access policy to the UMA Vision enterprise application using the provided script:

New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "bea520a4-6256-441d-90af-37598ba710fd" -PolicyScopeGroupId "mail_enabled_security_email -Description "Restrict UMA to members of Mail Enabled Security Group (mail_enabled_security_name)."

Parameters:

• AppId: UMA Vision enterprise application ID.

• mailenabledsecurityemail: Email address set up in Step 1.

• Description: A description of the policy.

Test the policy

Test the newly created application access policy:

Test-ApplicationAccessPolicy -Identity {EmailAddressInGroup} -AppId bea520a4-6256-441d-90af-37598ba710fd

An AccessCheckResult of "Granted" should be displayed.

Test-ApplicationAccessPolicy -Identity {EmailAddressNotInGroup} -AppId bea520a4-6256-441d-90af-37598ba710fd

An AccessCheckResult of "Denied" should be displayed.

Get started with UMA's Microsoft 365 integration with the following guides:

Manually add resources

To create resources in Microsoft follow the guide here.

If you have already created your resources and you want to import them into UMA click here.

Bulk creation using PowerShell

Open Microsoft Excel and add the resources in the below format ensuring the name, email address and capacity field are populated.

Once populated save the excel document as a .CSV file.

Open PowerShell and use the following commands:

Allow the running of remote scripts

Set-ExecutionPolicy RemoteSigned

Connect to Exchange Online

Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true

Import the .CSV file into PowerShell

Import-csv .\Resources.csv | foreach{ New-Mailbox -Name $_.name -Room -PrimarySmtpAddress $_.emailaddress -ResourceCapacity $_.capacity }

If successful you should now see an output from PowerShell which looks similar to the below showing the resources being created within your Microsoft 365 tenant.

If you are setting up UMA for the first time, you might question why the setup process mandates a Global Admin to authenticate, particularly if you're accustomed to using delegate access to manually share permissions among accounts.

We are delighted to provide an explanation and always appreciate the chance to demonstrate our security procedures.

Prior to proceeding, we suggest reading Microsoft's introduction to Azure app setup.

To synchronise calendars, UMA must install an integrated Azure AD app on your Office 365 account.

Please refer to the full explanation on Azure App Installations provided by Microsoft for more information

What is the purpose of this installed application?

UMA utilises this application to oversee room calendars and track the users involved in meetings for each respective room. You may have similar services installed in a similar fashion, and you can review the current list of installed applications by visiting http://myapps.microsoft.com.

Frequent questions

Why can't I simply share access to the room calendars?

UMA's scheduling tools primarily focus on room calendars, but there are cases where we need to make adjustments to meetings for users. In these situations, the room calendar is just one of several calendars that require updates.

For example:

John schedules a 60-minute meeting in his calendar and invites the conference room. The meeting ends 30 minutes early. John leaves the room, and UMA detects this. UMA adjusts John's calendar event to end at the current time, which then updates everyone's schedules (including the conference room).

By modifying the organiser's event instead of just the copy associated with the room, all invitees receive the updates. This ensures that John's calendar accurately reflects his availability for colleagues. A similar situation arises when canceling a meeting due to no-shows and wanting to clear everyone's schedules.

UMA handles event bookings (such as room displays, web, and mobile apps) on your behalf, with the booking user automatically set as the organiser, providing the necessary permissions. If UMA is unable to edit the organiser's event, it will update the room calendar's version instead.

Opting for the delegate approach would lead to a situation where new employees need to share their personal calendars with the delegate and keep that list updated to prevent issues like "I deleted this event, why is it still on my calendar if the room is free?"

As UMA continues to enhance its user-to-room and user-to-user scheduling tools, this permission becomes increasingly vital for efficient scheduling and to avoid complicated workflows for your users.

Why does it ask for full access to all mailboxes?

With the use of OAuth, we install the connector app securely onto your Office 365 account. For Office 365/EWS, Microsoft mandates that all OAuth apps request this permission, for reasons unknown to us. However, UMA does not use this permission. Once installed, the UMA app can solely engage with your calendars.

if you cannot connect to O365 through OAuth there's considerable concern with security compromises via apps that allow you to sign in via Basic authentication. For this reason, we only support OAuth authentication at this time.

Why do you need global admin privileges just to manage room calendars?

We do not require the global admin account to manage calendars once the app is installed. To provide an extreme example: You could create a new Global Admin account, use it to install the UMA app, and subsequently delete the account, and UMA would continue to function properly because the app is already operational.

When the app is installed, UMA does not acquire the privileges of a Global Administrator in your organisation. This is comparable to creating a new user mailbox as the Global Admin, which does not transfer power to the user account, merely because an administrator is needed to complete the set-up phase.