Connecting Kindor to Microsoft Teams with OAuth 2.0: A Step-by-Step Guide
At Kindor, we make it easy to connect your Microsoft Teams account to our platform using OAuth 2.0. This ensures seamless integration, providing insights based on calendar events and online meetings from your organization directly through Kindor. In this blog post, we'll guide you through authorizing Kindor to connect with your Microsoft Teams account and configuring application consent policies to allow Kindor to access online meetings information.
Step 1: Understanding OAuth 2.0 Admin Consent
When you connect Kindor to Microsoft Teams, we use OAuth 2.0 to securely authenticate and authorize access to your Microsoft Teams account. For Kindor to integrate effectively, we need admin consent to access resources like users, scheduled calendar events, and online meetings.
The permissions we use are:
- User.ReadBasic.All
- User.Read.All
- Calendar.ReadBasic.All
- Calendar.Read.All
- OnlineMeetings.Read.All
These permissions enable Kindor to access scheduled calendar events and online meetings details across users in your organization. To begin the authorization process, we generate a URL that allows your administrator to consent to the required permissions on behalf of the entire organization. Once consent is granted, Kindor will have access to this information within your Microsoft Teams environment.
At this stage, Kindor will have access to users and their scheduled calendar events, allowing us to generate valuable insights. However, to provide detailed insights into meeting time efficiency, we also need access to online meetings. Scheduled meeting times often differ from the actual time spent in meetings, making it crucial to understand these differences. To enable this access, Microsoft requires an application consent policy, which we will guide you through configuring in the following steps.
Step 2: Configuring Application Consent Policies
For organizations using Microsoft Teams, granting access to online meetings requires configuring an Application Consent Policy. This policy allows control over which applications can access specific resources. Below, we'll show you how to create a consent policy and assign it to a group to limit access to the OnlineMeetings.Read.All permission.
Step 2.1: Create a Group for Application Consent in Microsoft Entra ID
The first step is to create a group in Microsoft Entra ID (formerly Azure Active Directory) to manage the users who can grant consent for applications like Kindor. You can do this directly in the Microsoft Entra admin center.
To create a group using the Microsoft Entra admin center, follow these steps:
1. Sign in to the Microsoft Entra admin center.
2. In the left navigation panel, select Groups and click New group.
3. Under Group type, select Security.
4. Enter a Group name and Group description to identify the group, e.g.:
- Group name: KindorGroup
- Group description: Group for Kindor Integration
5. Configure the Membership type:
- Assigned: Manually add members to the group. You will need to keep the group updated when new users are added to your organization. If users are not in the group, Kindor will not have access to their online meetings.
- Dynamic User: Automatically add members based on specific criteria, e.g.:
- To add users based on their department, use the rule:
user.department -eq "Technology" This rule will automatically add users whose department is set to "Technology" to the group. In this case, you need to know the detailed information about users and departments in your organization.
- To add all new users dynamically, use the rule:
user.objectId -ne nullThis rule will add any new user created in the directory to the group automatically. Note that using Dynamic User requires a certain minimum type of Microsoft 365 or Azure Active Directory license.
6. Click Create to create the group.
Step 2.2: Configure Application Access Policy
Now that you have the Group Object ID of the group and the App Client ID (We will share you this information) of the application (Kindor App), you can configure an Application Access Policy to control which applications have access to online meetings information within your organization. This can be done using PowerShell.
Note that to use PowerShell, you need to have an Azure account.
1. Open PowerShell and run the following command to connect to your Microsoft Teams environment:
Connect-MicrosoftTeams2. Use the New-CsApplicationAccessPolicy command to create a policy that restricts which users the application can access. Replace {AppClientId} and {GroupObjectId} with the actual values you have:
New-CsApplicationAccessPolicy -Identity "KindorOnlineMeetingsPolicy" -AppIds "{AppClientId}" -Description "Policy to grant Kindor access to online meetings"3. Assign this policy to the group you created earlier by using the Grant-CsApplicationAccessPolicy command:
$groupId = "{GroupObjectId}"
$users = Get-AzureADGroupMember -ObjectId $groupId
foreach ($user in $users) {
Grant-CsApplicationAccessPolicy -PolicyName "KindorOnlineMeetingsPolicy" -Identity $user.ObjectId
}This command assigns the KindorOnlineMeetingsPolicy to the group, user by user, allowing Kindor to access only the online meetings information of users within that group.
4. Verify the policy assignment by running the following command:
$groupId = "{GroupObjectId}"
$users = Get-AzureADGroupMember -ObjectId $groupId
foreach ($user in $users) {
Get-CsApplicationAccessPolicy -Identity $user.ObjectId
}This will display the details of the policy to ensure it has been correctly assigned.
For more detailed information on configuring application access policies, you can refer to the official Microsoft documentation.
Step 2.3: Verify the Policy Assignment
After setting up the policy, it's essential to verify that the group members can now grant consent for the permissions specified in the consent policy. This can be tested by attempting to authorize the Kindor app to access Microsoft Teams online meetings.
Step 3: Authorize Kindor to Access Microsoft Teams
Once the application consent policy is in place, let us know and we will share you a new consent URL, the designated admin can authorize the Kindor app again by visiting this new consent URL generated by our platform. This URL will request the required permissions for integration, including access to online meetings. When the admin consents, Kindor gains the ability to access the necessary resources within your Microsoft Teams account, like online meetings information, allowing you to consume insights based on the actual time spent in meetings by your organization.
If you have any questions or need help getting started, feel free to reach out to our support team, and we'll be happy to assist.
Comentarios