Configuring Office 365 using Graph for One-Touch Join

This topic describes how to implement Pexip Infinity's One-Touch Join feature in a Microsoft Office 365 environment, by configuring Microsoft Azure and the Exchange Graph API to enable the One-Touch Join service to access calendars used for OTJ.

We previously supported One-Touch Join deployments for Office 365 that used a service account with application impersonation to read OTJ calendars. This service account authenticated using OAuth and used the EWS API to access mailboxes. However, the Application Impersonation role assignment to service accounts has been deprecated by Microsoft, and from February 2025, this role was removed completely (for more information, see Microsoft's announcement). These deployments must be migrated to use the Graph API to provide access to room resource mailboxes. For full instructions, see Migrating from EWS API to Graph API for One-Touch Join.

The process involves the following steps, described in detail in the sections that follow:

  1. Creating and configuring a new App registration in Azure.
  2. Restricting the scope of the App registration.
  3. Configuring calendar processing within Exchange.
  4. Creating an associated O365 Graph integration on Pexip Infinity.

Prerequisites

Before you begin, ensure that the following configuration is complete:

  1. Ensure each physical room that has a One-Touch Join endpoint in it has an associated room resource with an email address.
  2. Enable auto calendar processing for each room resource, so that the room automatically accepts meeting requests if it is available, and automatically declines an invitation if it is already booked.
  3. Ensure you have access to the Azure portal, using an account that can grant admin consent.
  4. Ensure you have admin access to your Office 365 web interface, and access to the Microsoft Exchange Online and Azure Active Directory Modules for Windows PowerShell. (If you are connecting from your Windows PC for the first time, you may need to install these modules. See these Microsoft articles about connecting to Exchange online and Microsoft 365 with PowerShell for more information.)

In this step, you create an App registration in Azure for the OTJ service, and grant it permission to read calendars. (In a subsequent step you will restrict the app to read OTJ calendars only.)
  1. Log into the Azure portal at aad.portal.azure.com as an admin user.
  2. From the main panel on the left, select Azure Active Directory.

  3. Select App Registrations and then New registration:

  4. In the Register an application panel, enter the following options:
    1. Name: this can be anything you wish. In our example we have used Pexip OTJ.
    2. Supported account types: select the option most appropriate for your environment. In most cases, the default Accounts in this organizational directory only can be used.

    3. Redirect URI: leave this blank.

  5. Select Register.

    You can now configure your application.

  6. From the panel on the left, select API permissions and then Add a permission.

  7. Select Microsoft Graph:

  8. Select Application Permissions. Scroll down to Calendars, expand it, and select Calendars.Read. Then select Add Permissions:

  9. Select Grant admin consent for <your tenant>:

    10. Next you need to obtain the client secret.

  10. From the panel on the left, select Certificates & secrets and then New client secret.

  11. Enter a Description. Under Expires select a duration in accordance with your organization's security policies, and select Add:

  12. The new client secret will appear in the list at the bottom of the page. You must copy the Value now, before you navigate away from the page:

    You must enter this as the Client secret when adding an O365 Graph integration on Pexip Infinity.

  13. Go to the overview page for the App registration you have just created and copy the Application (client) ID:

    You must enter this as the Client ID when adding an O365 Graph integration on Pexip Infinity.

  14. Select the Endpoints tab and copy the OAuth 2.0 token endpoint (v2) value:

    You must enter this as the OAuth 2.0 token endpoint URL when adding an O365 Graph integration on Pexip Infinity.

In this step, you create a group for the room resources to be used for One-Touch Join, and then restrict the App to only read these calendars.

Creating a mail-enabled security group

  1. Go to admin.microsoft.com and log in as the administrator.

  2. From the menu on the left hand side, select Active teams & groups and then Add a group.
  3. For the Group Type, select Mail-enabled security. Select Next.
  4. Enter a Name and Description. Select Add.

  5. Enter a Group email address. Leave the Communication checkbox clear.

    Select Next.

  6. Select Create Group.

  7. Navigate back to Active teams & groups, select the Mail-enabled security tab, and then select the group you have just created. From the panel on the right, select the Members tab and then View all and manage members.

  8. Add as members of the group the resources to be used for One-Touch Join. These will be the only calendars that the OTJ App will be able to read.

Changes to application access policies (such as creating and adding members to a Mail-enabled security group as described above) can take over an hour to take effect (see Microsoft's documentation).

Restricting access

Open up a remote PowerShell connection to Office 365 and import an Exchange session. For example see https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

Run the following command, using the following values:

  • AppId: the Application (client) ID that was generated by Azure when you created the OTJ Graph API application.
  • PolicyScopeGroupId: the email of the mail-enabled security group containing the One-Touch Join resources.
  • Description: a description of the access policy.

For example:

New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId otjrooms@pexample.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group otjrooms."

In this step, you change the calendar processing settings for room resources from the default to those required to support One-Touch Join.

Recommended configuration

To take full advantage of the functionality offered by One-Touch Join, we recommend that, for One-Touch Join room resources, you change the following calendar processing options from the default:

  1. The meeting invite body is deleted by default. If you want One-Touch Join to parse meeting details from the body then you must set the DeleteComments property to False. If you leave this set to True, only those rules that process information in the calendar headers can be used (because the body will be deleted).

  2. When a meeting invite is received by a resource mailbox, by default the meeting subject is deleted and is replaced with the name of the organizer (for more information, see this Microsoft article).

    Because One-Touch Join accesses the meeting invites through the resource mailboxes, this default behavior means it won't have access to the original subject. You can choose to leave the default behavior for privacy reasons, or you can modify the calendar processing options for each mailbox so that the meeting subject is available and thus can be displayed on the meeting room endpoints.

  3. The private flag is cleared by default. If you want meetings that are marked as private by the organizer to remain marked as private in the room mailbox, you must set the RemovePrivateProperty flag to False.
  4. Room resources created using PowerShell commands may by default have AutomateProcessing set to AutoUpdate. In these cases it should be changed to AutoAccept.
  5. When the meeting room accepts the invitation, a response is sent to the original requester (including requesters external to your organization if you have allowed forwarding of external invitations). To avoid any confusion as to why they would be receiving a response from a room that may not have been included in their original invitation, you can configure additional text that is sent to the requester using the -AddAdditionalResponse flag and -AdditionalResponse setting.

PowerShell command

To modify the calendar processing on a room from the default settings to those we recommend for One-Touch Join, connect to Exchange Online PowerShell and use the following PowerShell command (replacing <resource_email> with the address of the room resource whose processing you want to change):

Copy to clipboard 
Set-CalendarProcessing -Identity <resource_email> -DeleteComments $False -DeleteSubject $False -AddOrganizerToSubject $False -RemovePrivateProperty $False -AutomateProcessing "AutoAccept" -AddAdditionalResponse $true -AdditionalResponse "Participants can join the meeting from this room using Pexip One Touch Join."

Optional configuration

Hiding invitation details from other users

In order for One-Touch Join to function fully, the application must be able to access the body of the invitation (which is why we recommend that you set the DeleteComments property to False). However, this means that all other users in your deployment with access to the room resource calendar may also be able to view the body of the invitation (depending on your deployment's other policies). If you want to prevent this, you can use the following PowerShell command to restrict what users can see by default, without restricting what the application can access.

In the following command, replace resource_name with the name of the room resource, and replace role with one of the following roles:

  • AvailabilityOnly: users can view the room's availability, but nothing else.
  • LimitedDetails: users can view the room's availability and the meeting subject and location, but not the body of the invitation.
Copy to clipboard 
Set-MailboxFolderPermission "resource_name:\Calendar" -User Default -AccessRights role

Allowing forwarding of external invitations

Below is some recommended configuration to enable external invitations to be forwarded to your internal OTJ room resources so that the meetings can be joined from those endpoints. In all cases, we recommend that you consult your Exchange administrator to determine what is appropriate in your environment.

  • If you want to enable users to forward invitations from other organizations to your OTJ room resources, you must set the ProcessExternalMeetingMessages flag to True. Note that this allows any users external to your organization to invite the resource directly. To prevent this, you can use an Exchange transport rule similar to the example shown below so that only users internal to your organization can forward external invitations to OTJ meeting rooms.

  • If your Microsoft Exchange environment uses a security application (such as Office 365 ATP, or Mimecast) to re-write URLs, this may prevent OTJ from being used to join external Microsoft Teams meetings (for example, when a user inside your organization forwards an external Microsoft Teams meeting invitation to an OTJ room resource in order to join the meeting from that endpoint). To enable users to join these meetings using OTJ, you must ensure that the security application's URL re-write rules include an exception for any URL starting with the domain https://teams.microsoft.com/ or https://pexip.me/ (for Pexip CVI invitations).

Checking calendar processing settings

The following PowerShell command can be used to check calendar processing settings on all of the rooms in the mail-enabled security group that was created for One-Touch Join.

We recommend copying and saving this as a file and running it from within PowerShell.

Before running, ensure that you edit $otj_group_id = "otjrooms@example.com" to use the email of the mail-enabled security group (which is a type of Distribution Group) used in your own deployment.

Copy to clipboard 
$deleted_subjects = @()
$organizer_added = @()
$deleted_bodies = @()
$private_flag_reset = @()
$not_auto_accept = @()
$process_external = @()
$otj_group_id = "otjrooms@example.com"

Get-DistributionGroupMember -Identity $otj_group_id -ResultSize Unlimited | ForEach-Object {
    Write-Host "Checking room '$($_.name)'"
    $processing = Get-CalendarProcessing -Identity $_.name
    $pass = $true
    if ($processing.DeleteSubject) {
        Write-Host "WARNING: The room '$($_.name)' is deleting the meeting subject" -ForegroundColor Red
        $deleted_subjects += $_.name
        $pass = $false
    }
    if ($processing.AddOrganizerToSubject) {
        Write-Host "WARNING: The room '$($_.name)' is adding the organizer to the meeting subject" -ForegroundColor Red
        $organizer_added += $_.name
        $pass = $false
    }
    if ($processing.DeleteComments) {
        Write-Host "WARNING: The room '$($_.name)' is deleting the meeting body" -ForegroundColor Red
        $deleted_bodies += $_.name
        $pass = $false
    }
    if ($processing.RemovePrivateProperty) {
        Write-Host "WARNING: The room '$($_.name)' is clearing the private flag on meetings" -ForegroundColor Red
        $private_flag_reset += $_.name
        $pass = $false
    }
    if ($processing.AutomateProcessing -ne "AutoAccept") {
        Write-Host "WARNING: The room '$($_.name)' is not configured to Auto Accept. Processing='$($processing.AutomateProcessing)'" -ForegroundColor Red
        $not_auto_accept += $_.name
        $pass = $false
    }
    # Optional permission for allowing the external invites:
    if ($processing.ProcessExternalMeetingMessages) {
        Write-Host "The room '$($_.name)' is configured to process external (forwarded) meetings"
        $process_external += $_.name
    }
    if ($pass) {
        Write-Host "INFO: All checks passed for room '$($_.name)'" -ForegroundColor Green
    }
}

Write-Host "Summary:"
Write-Host "There are $($deleted_subjects.count) rooms deleting the meeting subject"
    if ($deleted_subjects) {
        Write-Host $deleted_subjects -Separator ", "
        Write-Host ""
}
Write-Host "There are $($organizer_added.count) rooms adding the organizer to the meeting subject"
    if ($organizer_added) {
        Write-Host $organizer_added -Separator ", "
        Write-Host ""
}
Write-Host "There are $($deleted_bodies.count) rooms deleting the meeting body"
    if ($deleted_bodies) {
        Write-Host $deleted_bodies -Separator ", "
        Write-Host ""
}
Write-Host "There are $($private_flag_reset.count) rooms clearing the private flag on meetings"
    if ($private_flag_reset) {
        Write-Host $private_flag_reset -Separator ", "
        Write-Host ""
}
Write-Host "There are $($not_auto_accept.count) rooms not configured to Auto Accept"
    if ($not_auto_accept) {
        Write-Host $not_auto_accept -Separator ", "
        Write-Host ""
}
Write-Host "There are $($process_external.count) rooms configured to process external (forwarded) meetings"
    if ($process_external) {
        Write-Host $process_external -Separator ", "
        Write-Host ""
}

In this step you log in to the Pexip Infinity Administrator interface and add details of the Graph API application you have just configured.

Configuring the O365 Graph integration

From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Graph integrations.

Option Description
Name The name of this One-Touch Join O365 Graph integration.
Description An optional description of this One-Touch Join O365 Graph integration.
Client ID

The Application (client) ID which was generated by Azure when you created the OTJ Graph API application (see Creating and configuring a new App registration in AzureIn this step, you create an App registration in Azure for the OTJ service, and grant it permission to read calendars. (In a subsequent step you will restrict the app to read OTJ calendars only.)).

This is available in Azure under App Registrations, by selecting the application and viewing the Essentials section.
Client secret

The client secret of the OTJ Graph API application.

If you didn't copy this at the time the registration was created, you'll need to generate a new one.
OAuth 2.0 token endpoint URL

The URL of the OAuth 2.0 (v2) token endpoint for this OTJ Graph API application.

This is available in Azure under App Registrations, by selecting the application and then selecting the Endpoints tab.
Advanced options
Maximum Graph API requests

The maximum number of API requests that can be made by OTJ to the Microsoft Graph API in a 24-hour period.

The default of 1,000,000 should be sufficient for most deployments — for more information, see Frequency of and limitations on calendar requests.

We do not recommend increasing this quota unless you have deployed a dedicated One-Touch Join platform, because it will impact the performance of the Conferencing Nodes.
Graph API FQDN The FQDN to use when connecting to the Graph API.

Next steps

You must now configure the remainder of the One-Touch Join components on Pexip Infinity, as described in Configuring Pexip Infinity for One-Touch Join.