Add-in authentication for O365

The Secure Scheduler for Exchange feature (previously known as VMR Scheduling for Exchange) allows you to create an add-in that enables Microsoft Outlook users in Office 365 or Exchange environments to quickly and easily add a Pexip VMR to their meeting invitations, enabling any meeting to be held over video.

The Outlook add-in must authenticate its requests to a Conferencing Node. This topic explains how to configure authentication for these requests in Microsoft 365 environments. Add-in authentication in these environments can use either an SSO (Single Sign-On) token (required for Microsoft Office 2021 LTSC Outlook clients), or an NAA (Nested App Authentication) token (recommended for all other Microsoft 365 environments).

If your environment includes any Microsoft Office 2021 LTSC Outlook clients, you must use SSO (Single Sign-On) token authentication, even if you also use other clients.

To check whether an Outlook client is part of Microsoft Office 2021 LTSC, go to File > Office Account and select About Outlook. For LTSC 2021 clients, text similar to Microsoft® Outlook®LTSC and with a version that includes 14332 is shown:

If you change the Add-in authentication token type setting to or from SSO Token, you must re-generate and re-install the add-in XML file. This is not required if you are swapping between Exchange Identity Token and NAA (Nested App Authentication) Token.

For Exchange on-premises environments, an Exchange Identity token is used, and no additional configuration is required for add-in authentication.

This process involves creating an application in Microsoft Entra with two separate registrations — a Web API registration and an App registration. We recommend that you also pre-authorize the App to access the Web API, to avoid users having to grant consents the first time they use the add-in. When you have completed this process, you must configure Pexip Infinity with details of the app registration.

We recommend that you use this authentication method if your Microsoft 365 environment does not include any Microsoft Office 2021 LTSC clients.

Creating a Web API registration

  1. Go to https://entra.microsoft.com/ and log in as an administrator.

  2. From the left hand panel, select Identity > Applications > App registrations and from the main window select New registration:

  3. Enter details for the new registration, as follows:

    • Name: in our example we have used Pexip Scheduling NAA Web API.
    • Supported account types: you must select Accounts in this organizational directory only...
    • Redirect URI: leave blank.

  4. Select Register:

  5. Select Manage > Owners > Add owners:

    Adding an owner is optional. We recommend adding yourself as an owner because it makes it easier to find the app registration in later steps. You can add additional users as owners at any point.

  6. Search for your own user. Tick the box next to your user, and then select Select:

  7. Select Manage > Expose an API. Next to Application ID URI, select Add:

  8. Save the automatically generated Application ID URI. Do not edit it:

  9. Select Add a scope:

  10. Enter the following:

    • Scope name: enter PexipScheduling.Access — you must use this value, do not modify it.

    • Who can consent?: select Admins and users.

    • Admin consent display name: we recommend a descriptive name such as Access Pexip VMR Scheduling.

    • Admin consent description: we recommend something descriptive such as Allows the add-in to access Pexip VMR Scheduling for the signed in user.

    • User consent display name: we recommend you use a descriptive name such as Access Pexip VMR Scheduling.

    • User consent description: we recommend something descriptive such as Allows you to use the Pexip VMR Scheduling Outlook add-in.

    • State: must be Enabled.

    Select Add scope:

Enabling Version 2.0 access tokens

Version 1.0 access tokens are issued by default. However, Pexip requires Version 2.0. To enable Version 2.0 tokens:

  1. Select Manage > Manifest. In the Microsoft Graph app manifest JSON, find the string requestedAccessTokenVersion (you can use your web browser's search function to locate it).

    By default, it is set to a value of null:

  2. Replace null with the value 2, so it looks like this:

    "requestedAccessTokenVersion": 2,

    Select Save:

Creating the NAA App

  1. Go to https://entra.microsoft.com/ and log in as an administrator.

  2. From the left hand panel, select Identity > Applications > App registrations and from the main window select New registration.

  3. Enter details for the new registration, as follows:

    • Name: in our example we have used Pexip Scheduling NAA App.
    • Supported account types: you must select Accounts in this organizational directory only...
    • Redirect URI: leave blank.

  4. Select Register:

  5. Select Manage > Owners > Add owners:

    Adding an owner is optional. We recommend adding yourself as an owner because it makes it easier to find the app registration in later steps. You can add additional users as owners at any point.

  6. Search for your own user. Tick the box next to your user, and then select Select:

  7. From Manage > Authentication select Add a platform:

  8. Select the Single-page application tile:

  9. In the Redirect URIs field, enter a URI in the form: brk-multihub://<add-in server FQDN>, for example brk-multihub://pexample.westeurope.cloudapp.azure.com

    The <add-in server FQDN> must be the FQDN of the server on which your add-in is hosted (i.e. the Add-in server FQDN field configured on the Management Node).

    The redirect URI must be in this form; do not modify it.

  10. Leave all the other options blank and unchecked, and select Configure:

  11. Select Manage > API permissions > Add a permission:

  12. Select the My APIs tab. Find and select the Web API you created in the previous step (in our example, this is named Pexip Scheduling NAA Web API):

  13. Select Delegated permissions and tick the checkbox next to the PexipScheduling.Access permission. Select Add permission:

Pre-authorizing the NAA App to access the NAA Web API

This step is optional, but we recommend you do this to make the sign in flow for your users easier. Without this step, by default when users first use the add-in, they will be presented with two pop-ups requesting consent — one for the Pexip Scheduling NAA App (which also refers to the Access Pexip VMR Scheduling custom scope we created in the previous step), and one for the Pexip Scheduling NAA Web API.

To avoid users having to grant consent, pre-authorize the NAA app by telling it to trust the NAA Web API, as follows:

  1. Go to https://entra.microsoft.com/ and log in as an administrator.

  2. From the left hand panel, select Identity > Applications > App registrations.

  3. From the App registrations page, select the Owned applications tab. From the list of Apps, find the NAA App you created earlier. (In our example, this was named Pexip Scheduling NAA App):

    Do not select the NAA Web API.

  4. Copy the Application (client) ID:

  5. Go back to the list of Owned applications and find the NAA Web API you created earlier.

    Do not select the NAA App.

    Select Manage > Expose an API and select Add a client application:

  6. In the Add a client application pane, enter the following:

    • Client ID: paste the client ID of the NAA App you have just copied.

    • Authorized scopes: only one scope should be listed; this should end in PexipScheduling.Access; tick the checkbox next to this scope.

    Select Add application:

The configuration is now complete and you can leave the Microsoft Entra admin center.

Configuring Pexip Infinity

When configuring a Secure Scheduler for Exchange Integration on Pexip Infinity, select an Add-in authentication token type of NAA (Nested App Authentication) Token. Additional fields appear; enter the configuration from your new app registration in Microsoft Entra, as follows:

Field Description Entra configuration
Add-in auth application ID The Application (client) ID which was generated when creating the App Registration in Microsoft Entra for add-in authentication. From Identity > Applications > App registrations, select the Pexip Scheduling NAA App and copy the Application (client) ID.
Add-in auth NAA Web API application ID The Application (client) ID for the NAA Web API which was generated when creating the App Registration in Microsoft Entra. From Identity > Applications > App registrations, select the Pexip Scheduling NAA Web API and copy the Application (client) ID.
Add-in auth authority URL The Authority URL copied from the App Registration created in Microsoft Entra for add-in authentication. From Identity > Applications > App registrations, select the Pexip Scheduling NAA App and select the Endpoints tab. Copy the contents of the Authority URL (Accounts in this organizational directory only) field.
Add-in auth OIDC Metadata URL The OpenID Connect metadata document copied from the App Registration created in Microsoft Entra for add-in authentication.

From Identity > Applications > App registrations, select the Pexip Scheduling NAA App and select the Endpoints tab. Copy the contents of the OpenID Connect metadata document field.

This process involves creating an app registration in Microsoft Entra, assigning add-in users and groups to the registration, and then configuring Pexip Infinity with details of the app registration. You must then distribute the add-in to your Outlook users.

You must use this authentication method if your Microsoft 365 environment includes any Microsoft Office 2021 LTSC clients.

Creating the app registration

  1. Ensure you have enabled Modern Authentication. For more information, see Microsoft's article.
  2. Go to https://entra.microsoft.com/ and log in as an administrator.

  3. From the left hand panel, select Identity > Applications > App registrations and from the main window select New registration.

  4. Enter details for the new registration, as follows:

    • Name: in our example we have used Pexip Scheduling SSO App.

    • Supported account types: you must select Accounts in this organizational directory only...

    • Redirect URI: leave blank.

    Select Register:

  5. From the App registrations page, select the new application.

  6. Select Manage > Expose an API and next to Application ID URI select Add:

  7. An Application ID URI with a unique app UUID is generated automatically. Change the URI so that it is in the format api://<add-in server FQDN>/<app-id>, where

    • <add-in server FQDN> is the FQDN of the server on which your add-in is hosted (i.e. the Add-in server FQDN field configured on the Management Node), and

    • <app-id> is the UUID that was generated.

    For example, if the value that was generated was api://ffe83558-b6bd-45eb-b3ac-7c34b08be297, you should change this to e.g. api://pexample.westeurope.cloudapp.azure.com/ffe83558-b6bd-45eb-b3ac-7c34b08be297.

    Select Save:

  8. Select Add a scope and enter the following:

    • Scope name: enter PexipScheduling.Access — you must use this value, do not modify it.

    • Who can consent?: select Admins and users.

    • Admin consent display name: we recommend a descriptive name such as Access Pexip VMR Scheduling.

    • Admin consent description: we recommend something descriptive such as Allows the add-in to access Pexip VMR Scheduling for the signed in user.

    • User consent display name: we recommend you use a descriptive name such as Access Pexip VMR Scheduling.

    • User consent description: we recommend something descriptive such as Allows you to use the Pexip VMR Scheduling Outlook add-in.

    • State: must be Enabled.

    Select Add scope:

  9. Select Add a client application and enter the following:

    • Client ID: enter ea5a67f6-b6f3-4338-b240-c655ddc3cc8e — this corresponds to all Office platforms.

    • Authorized scopes: only one scope should be listed; this should end in PexipScheduling.Access; tick the checkbox next to this scope.

    Select Add application:

  10. From Manage > API permissions, select and remove the Microsoft Graph User.Read permission (this is configured by default for all new app registrations, but is not required):

  11. Select Manage > Manifest. In the Microsoft Graph app manifest JSON, find the string requestedAccessTokenVersion (you can use your web browser's search (ctrl + f) to help locate it).

    By default, it is set to a value of null.

    Replace null with the value 2, i.e.:

    "requestedAccessTokenVersion": 2,

  12. Select Save:

Assigning users and groups to the App registration

  1. Go to https://entra.microsoft.com/ and log in as an administrator.

  2. From the left hand panel, select Identity > Applications > Enterprise applications and select the application you have just created (in our example this was called Pexip Scheduling SSO App):

  3. Select Manage > Users and groups and select Add user/group:

  4. Follow the prompts to add the users/groups that will be using the add-in.

Configuring Pexip Infinity

When configuring a Secure Scheduler for Exchange Integration on Pexip Infinity, select an Add-in authentication token type of SSO Token. Additional fields appear; enter the configuration from your new app registration in Microsoft Entra as follows:

Field Description Entra configuration
Add-in auth application ID The Application (client) ID which was generated when creating the App Registration in Microsoft Entra for add-in authentication. From Identity > Applications > App registrations, select the Pexip Scheduling SSO App and copy the Application (client) ID.
Add-in auth OIDC Metadata URL The OpenID Connect metadata document copied from the App Registration created in Microsoft Entra for add-in authentication. From Identity > Applications > App registrations, select the Pexip Scheduling SSO App and select the Endpoints tab. Copy the contents of the OpenID Connect metadata document field.

Uploading the add-in manifest

If you have modified an existing Secure Scheduler for Exchange Integration to use SSO for add-in authentication, you must re-distribute the add-in XML manifest file to your Outlook users. For full instructions, see Making the Exchange add-in available to users.