Configuring Azure SSO for personal VMRs

The VMR Scheduling for Exchange feature allows you to create an add-in that enables Microsoft Outlook desktop and Web App users in Office 365 or Exchange environments to quickly and easily add a Pexip VMR to their meeting invitations, enabling any meeting to be held over video.

You can set up VMR Scheduling for Exchange to offer users the option to use their personal VMRs when scheduling meetings. This requires Single Sign-On (SSO).

This topic explains how to configure Azure to enable SSO for VMR Scheduling for Exchange when using personal VMRs.

In this topic:

How it works

The process of VMR Scheduling for Exchange users authenticating to Pexip Infinity via Azure in order to obtain their personal VMRs works as follows:

  1. When the Outlook add-in launches, it opens up a pop-up window for the user to sign in to Azure using their AD credentials.
  2. After the user has successfully signed in, they are redirected back to the Outlook add-in, which then requests an access token from Azure.
  3. The Azure server returns the Azure access token to the Outlook add-in. This token proves that the user has successfully authenticated with Azure.
  4. Pexip Infinity then updates its record for that user so that the user does not need to log in again when they next activate the add-in.

This process means that:

  • users' SSO credentials are not stored by Pexip Infinity

  • if you delete and recreate a user's record on Pexip Infinity (Users & Devices > Users), they will need to sign in to Azure again.

Creating and configuring a new App Registration in Azure

  1. Log into the Azure portal at aad.portal.azure.com.
  2. From the main panel on the left, select Azure Active Directory.
  3. Select App Registrations and then New registration:

  4. In the Register an application panel, enter the following options:
    1. Name: this can be anything you wish. In our example we have used Pexip Scheduling Personal VMRs.
    2. Supported account types: select Accounts in this organizational directory only.
    3. Redirect URI: from the drop-down menu, select Web. The URI should be in the format:

      https://<address>/api/client/v2/msexchange_schedulers/oauth_redirect
      where <address> is the Add-in server FQDN configured on Pexip Infinity, for example
      https://px01.vc.example.com/api/client/v2/msexchange_schedulers/oauth_redirect

      In our example we have used https://pexip.example.com/api/client/v2/msexchange_schedulers/oauth_redirect

      The OAuth redirect URI is the URI to which users will be returned after they have successfully signed in to their account. It must use the same domain as the Add-in server FQDN configured on Pexip Infinity in order for Azure to validate the sign-in request.

  5. Select Register.

    You can now configure your application.

  6. From the panel on the left, select Certificates & secrets.
  7. Select New client secret.
  8. Enter a Description, under Expires select a duration in accordance with your organization's security policies, and select Add:

  9. The new client secret will appear in the list at the bottom of the page. You must copy the Value now, before you navigate away from the page:

    You must enter this as the Azure OAuth client secret when configuring the VMR scheduling for Exchange integration and enabling personal VMRs

  10. The User.Read permission should have been added by default, with a type of Delegated. To confirm this, from the panel on the left, select API permissions and ensure the appropriate permission is present.

    If it is not present, add it as follows:

    1. Select Add a permission.
    2. From the Request API permissions panel, select Microsoft Graph:

    3. From the Request API permissions page, select Delegated permissions, and from the list that appears, scroll down to the User section and select User.Read. Then select Add permissions:

Taking note of configuration

When you Configure the VMR scheduling for Exchange integration and enable personal VMRs using Azure as your authentication provider, you'll need to provide the following information from Azure (in addition to the Client Secret which you have already noted):

  • Application (client) ID: this was generated for you by Azure when you saved the App Registration:

    You can find this again in Azure under Azure Active Directory > App registrations, under the Application (client) ID column.

    You will need to enter this as the User OAuth client ID when configuring the VMR scheduling for Exchange integration and enabling personal VMRs.

  • OAuth 2.0 endpoints. To find this information:

    1. In the Azure Portal, select Azure Active Directory > App registrations, select the app you have just registered, and select the Endpoints tab:

    2. Copy the URL of the OAuth 2.0 authorization endpoint (v2).

      Ensure that you use the URL for ... endpoint (v2), not ... endpoint (v1).

      You will need to enter this as the User OAuth authorization URI when configuring the VMR scheduling for Exchange integration and enabling personal VMRs.

    3. Copy the URL of the OAuth 2.0 token endpoint (v2)

      Ensure that you use the URL for ... endpoint (v2), not ... endpoint (v1).

      You will need to enter this as the User OAuth token URI when configuring the VMR scheduling for Exchange integration and enabling personal VMRs.

Next steps

  1. Configuring Pexip Infinity to integrate with your Microsoft Exchange deployment and create the VMR Scheduling for Exchange add-in.
  2. Making the add-in available to users within your Microsoft Exchange deployment.