Configuring Office 365 using EWS for One-Touch Join

This topic describes how to implement Pexip Infinity's One-Touch Join feature in a Microsoft Office 365 environment, by using a service account authenticated using OAuth and the EWS API to enable the One-Touch Join service to access calendars used for OTJ.

The EWS API is being deprecated by Microsoft, after which any deployments that use the EWS API will no longer work. These deployments must be updated to use the Graph API to provide access to room resource mailboxes. This topic is intended as a reference only.

The process involves the following steps, described in detail in the sections that follow:

Creating a service account for One-Touch Join. This service account will be used by One-Touch Join to read each room resource's calendar.

This should be a different service account to any used for VMR Scheduling for Exchange, because the configuration will be different.
Configuring Application Impersonation on the service account.

For more information and guidelines on the use of application impersonation in Exchange, see Permitting the service account to access calendars.
Configuring calendar processing within Exchange.
Enabling OAuth authentication for the service account.
Creating an associated Exchange integration on Pexip Infinity.

Prerequisites

Before you begin, ensure that the following configuration is complete:

Ensure each physical room that will have a One-Touch Join endpoint in it has an associated room resource with an email address.
Enable auto calendar processing for each room resource, so that the room will automatically accept meeting requests if it is available, and automatically decline an invitation if it is already booked.
We recommend that if you are using Safe Links, you modify your Safe Links policy so that URLs are not rewritten in any meeting invitations sent to room resources used by One-Touch Join endpoints.
Ensure that you have a Microsoft license available for the service account; this is required for the service account to access Exchange.
Ensure you have admin access to your Office 365 web interface, and access to the Microsoft Exchange Online and Azure Active Directory Modules for Windows PowerShell. (If you are connecting from your Windows PC for the first time, you may need to install these modules. See these Microsoft articles about connecting to Exchange online and Microsoft 365 with PowerShell for more information.)
Ensure you have access to your Exchange Admin Center (EAC) web interface, and access to Exchange Management PowerShell.
If your Exchange server does not use a globally trusted certificate, you must upload a custom CA certificate.

Creating a service account

In this step, you create a dedicated service account to use to log in to Exchange to access the calendars of the room resources being used for One-Touch Join. After creating the service account, you must assign it an appropriate Exchange license, such as Office 365 Enterprise E1, Office 365 Business Basic (formerly Essentials) or one of the Exchange Online plans.

This service account should only be used with One-Touch Join. However, you can use the same Exchange service account for multiple One-Touch Join integrations.

If the service account is subject to a password rotation policy or uses multi-factor authentication (MFA), then each time the password changes or the MFA is refreshed, you must sign in to the service account again via the Pexip Infinity Administrator interface.

You can create a new service account using either the Office 365 admin portal or PowerShell, as follows:

Microsoft 365	PowerShell
Go to https://www.microsoft365.com/ and log in as the administrator. Go to the Microsoft 365 admin centre by selecting the Admin tile from the left-hand menu (this takes you to https://admin.microsoft.com/#/homepage). From the Users section, select Add a user. In the Basics step: enter an appropriate first name, last name, display name and user name uncheck Automatically create a password uncheck Require this user to change their password when they first sign in In the Product licenses step, assign an appropriate product license from the available list: In the Optional settings step, retain the default Role of User: no administration access: Select Finish adding to create the user.	You must run Powershell as administrator. Establishing a remote connection To use PowerShell for Office 365 you first need to connect remotely. These commands install the required PowerShell modules (if they are not already installed) and then connects to Exchange Online: #If not installed, install Exchange Online Module Install-Module ExchangeOnlineManagement #If not installed, install Azure AD Module Install-Module -Name AzureAD #Connect to Exchange Online and AzureAD, works also with a MFA enabled account Connect-ExchangeOnline Creating the service account The first command lets the administrator type in a password for the service account as a secure string. This password variable is then used in the second command to create a mailbox for the service account. The remaining commands log you into Microsoft Entra ID (Azure AD) and then set the password of the service account to never expire. #Capture password for service account $password = Read-Host "Enter password" -AsSecureString # Create service account and mailbox New-Mailbox -Name "<Account Name>" -MicrosoftOnlineServicesID "<UPN>" -Password $password -Alias "<Account Alias>" -FirstName "<Account First Name>" -LastName "<Account Last Name>" -DisplayName "<Account Name>" #Connect to AzureAD Connect-AzureAD #Set password policy Set-AzureADUser -ObjectId "<UPN>" -PasswordPolicies DisablePasswordExpiration Example New-Mailbox command: New-Mailbox -Name "Pexip OTJ Service Account" -MicrosoftOnlineServicesID pexip-otj-svc@example.com -Password $password -Alias pexip-otj-svc -FirstName "Pexip OTJ" -LastName "Service Account" -DisplayName "Pexip OTJ Service Account" Example Set-AzureADUser command: Set-AzureADUser -ObjectId pexip-otj-svc@example.com -PasswordPolicies DisablePasswordExpiration Assigning a license to the service account You must now assign an appropriate license to the service account. See https://docs.microsoft.com/en-us/powershell/azure/active-directory/enabling-licenses-sample for information on how to do this.

Microsoft 365

PowerShell

Go to https://www.microsoft365.com/ and log in as the administrator.
Go to the Microsoft 365 admin centre by selecting the Admin tile from the left-hand menu (this takes you to https://admin.microsoft.com/#/homepage).
From the Users section, select Add a user.
In the Basics step:
- enter an appropriate first name, last name, display name and user name
- uncheck Automatically create a password
- uncheck Require this user to change their password when they first sign in
In the Product licenses step, assign an appropriate product license from the available list:
In the Optional settings step, retain the default Role of User: no administration access:
Select Finish adding to create the user.

You must run Powershell as administrator.

Establishing a remote connection

To use PowerShell for Office 365 you first need to connect remotely. These commands install the required PowerShell modules (if they are not already installed) and then connects to Exchange Online:

#If not installed, install Exchange Online Module
Install-Module ExchangeOnlineManagement

#If not installed, install Azure AD Module
Install-Module -Name AzureAD

#Connect to Exchange Online and AzureAD, works also with a MFA enabled account
Connect-ExchangeOnline

Creating the service account

The first command lets the administrator type in a password for the service account as a secure string. This password variable is then used in the second command to create a mailbox for the service account. The remaining commands log you into Microsoft Entra ID (Azure AD) and then set the password of the service account to never expire.

#Capture password for service account
$password = Read-Host "Enter password" -AsSecureString

# Create service account and mailbox
New-Mailbox -Name "<Account Name>" -MicrosoftOnlineServicesID "<UPN>" -Password $password -Alias "<Account Alias>" -FirstName "<Account First Name>" -LastName "<Account Last Name>" -DisplayName "<Account Name>"
							
#Connect to AzureAD
Connect-AzureAD

#Set password policy
Set-AzureADUser -ObjectId "<UPN>" -PasswordPolicies DisablePasswordExpiration

Example New-Mailbox command:

New-Mailbox -Name "Pexip OTJ Service Account" -MicrosoftOnlineServicesID pexip-otj-svc@example.com -Password $password -Alias pexip-otj-svc -FirstName "Pexip OTJ" -LastName "Service Account" -DisplayName "Pexip OTJ Service Account"

Example Set-AzureADUser command:

Set-AzureADUser -ObjectId pexip-otj-svc@example.com -PasswordPolicies DisablePasswordExpiration

Assigning a license to the service account

You must now assign an appropriate license to the service account.

See https://docs.microsoft.com/en-us/powershell/azure/active-directory/enabling-licenses-sample for information on how to do this.

Configuring Application Impersonation on the service account

In this step, you create a new Distribution Group, and add the rooms to be used for One-Touch Join to the group. You then use PowerShell commands to make it so that the service account will only be able to impersonate members of that Group.

Configuring Application Impersonation in this way means that when a room is added to the group, the service account will automatically be able to impersonate it. Likewise, when a room is removed, the service account will no longer be able to impersonate it.

Creating a new Distribution Group

Go to admin.microsoft.com and log in as the administrator.
From the menu on the left hand side, select Groups > Add a group.
For the Group Type, select Distribution List. Enter a name, email address and description and select Add.
Add as members of the Group the rooms to be used for One-Touch Join. These will be the rooms that the service account will impersonate.

Note that the service account should not be added as a member of this distribution group. Instead, this step allows the service account to impersonate any member of this distribution group (i.e. any of the room resources).
Open up a remote PowerShell connection to Office 365 and import an Exchange session. For example see https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

Configuring application impersonation

We recommend that you use combined PowerShell commands to configure application impersonation for the service account. This allows you to use variables, thus reducing possible copy and paste errors.

You may need to enable customization, if this has not already been done within your organization:
```
Enable-OrganizationCustomization
```
Configure the following variables with the values you actually want to use:
- otj_group_id: the email of the distribution list whose members you want to be impersonated.
- otj_service_account: the email of the service account you want to grant impersonation to.
- management_scope_to_create: the name you want the newly created management scope to have.
- impersonation_role_name_to_create: the name you want the newly created impersonation role to have.
For example:
```
$otj_group_id = "otjrooms@example.com"
$otj_service_account = "pexip-otj-svc@example.com"
$management_scope_to_create = "OTJ Management Scope"
$impersonation_role_name_to_create = "OTJ Impersonation"
```

Create the management scope:

$otj_group = Get-DistributionGroup -Identity $otj_group_id
$otj_group_dn = $otj_group.DistinguishedName
$restriction_filter = "MemberOfGroup -eq ""$otj_group_dn"""
New-ManagementScope -Name $management_scope_to_create -RecipientRestrictionFilter $restriction_filter

Example output:

Name                  ScopeRestrictionType Exclusive RecipientRoot RecipientFilter
----                  -------------------- --------- ------------- ---------------
OTJ Management Scope  RecipientScope       False                   MemberOfGroup -eq 'CN=OTJ Rooms2111430164340,OU...

Set up application impersonation using the previously created management scope:

New-ManagementRoleAssignment -Name $impersonation_role_name_to_create -Role ApplicationImpersonation -User $otj_service_account -CustomRecipientWriteScope $management_scope_to_create

Example output:

Name                Role              RoleAssigneeName  RoleAssigneeType  AssignmentMethod  EffectiveUserName
----                ----              ----------------  ----------------  ----------------  ----------------
OTJ Impersonation   ApplicationImp... pexip-otj-svc     User              Direct

Verify that the above commands worked as expected. In the following command, replace <resource_email> with the email of the room resource mailbox you want to test. If it is a room which is a member of the distribution list, it should show the OTJ Impersonation in the returned roles. If it is anything else outside of the distribution list, it should not have the OTJ Impersonation listed, which means the OTJ service account does not have permission to impersonate that user.
```
Get-ManagementRoleAssignment -Role ApplicationImpersonation -WritableRecipient "<resource_email>" | Format-List Name, Role, RoleAssignee, CustomRecipientWriteScope
```
Expected output:
```
Name                      : OTJ Impersonation
Role                      : ApplicationImpersonation
RoleAssignee              : pexip-otj-svc
```

Configuring calendar processing on room resource mailboxes

In this step, you change the calendar processing settings for room resources from the default to those required to support One-Touch Join.

Recommended configuration

To take full advantage of the functionality offered by One-Touch Join, we recommend that, for One-Touch Join room resources, you change the following calendar processing options from the default:

The meeting invite body is deleted by default. If you want One-Touch Join to parse meeting details from the body then you must set the DeleteComments property to False. If you leave this set to True, only those rules that process information in the calendar headers can be used (because the body will be deleted).
When a meeting invite is received by a resource mailbox, by default the meeting subject is deleted and is replaced with the name of the organizer (for more information, see this Microsoft article).

Because One-Touch Join accesses the meeting invites through the resource mailboxes, this default behavior means it won't have access to the original subject. You can choose to leave the default behavior for privacy reasons, or you can modify the calendar processing options for each mailbox so that the meeting subject is available and thus can be displayed on the meeting room endpoints.
The private flag is cleared by default. If you want meetings that are marked as private by the organizer to remain marked as private in the room mailbox, you must set the RemovePrivateProperty flag to False.
Room resources created using PowerShell commands may by default have AutomateProcessing set to AutoUpdate. In these cases it should be changed to AutoAccept.
When the meeting room accepts the invitation, a response is sent to the original requester (including requesters external to your organization if you have allowed forwarding of external invitations). To avoid any confusion as to why they would be receiving a response from a room that may not have been included in their original invitation, you can configure additional text that is sent to the requester using the -AddAdditionalResponse flag and -AdditionalResponse setting.

PowerShell command

To modify the calendar processing on a room from the default settings to those we recommend for One-Touch Join, connect to Exchange Online PowerShell and use the following PowerShell command (replacing <resource_email> with the address of the room resource whose processing you want to change):

Copy to clipboard

Set-CalendarProcessing -Identity <resource_email> -DeleteComments $False -DeleteSubject $False -AddOrganizerToSubject $False -RemovePrivateProperty $False -AutomateProcessing "AutoAccept" -AddAdditionalResponse $true -AdditionalResponse "Participants can join the meeting from this room using Pexip One Touch Join."

Optional configuration

Hiding invitation details from other users

In order for One-Touch Join to function fully, the service account must be able to access the body of the invitation (which is why we recommend that you set the DeleteComments property to False). However, this means that all other users in your deployment with access to the room resource calendar may also be able to view the body of the invitation (depending on your deployment's other policies). If you want to prevent this, you can use the following PowerShell command to restrict what users can see by default, without restricting what the the service account can access.

In the following command, replace resource_name with the name of the room resource, and replace role with one of the following roles:

AvailabilityOnly: users can view the room's availability, but nothing else.
LimitedDetails: users can view the room's availability and the meeting subject and location, but not the body of the invitation.

Copy to clipboard

Set-MailboxFolderPermission "resource_name:\Calendar" -User Default -AccessRights role

Allowing forwarding of external invitations

Below is some recommended configuration to enable external invitations to be forwarded to your internal OTJ room resources so that the meetings can be joined from those endpoints. In all cases, we recommend that you consult your Exchange administrator to determine what is appropriate in your environment.

If you want to enable users to forward invitations from other organizations to your OTJ room resources, you must set the ProcessExternalMeetingMessages flag to True. Note that this will allow any users external to your organization to invite the resource directly. To prevent this, you can use an Exchange transport rule similar to the example shown below so that only users internal to your organization can forward external invitations to OTJ meeting rooms.
If your Microsoft Exchange environment uses a security application (such as Office 365 ATP, or Mimecast) to re-write URLs, this may prevent OTJ from being used to join external Microsoft Teams meetings (for example, when a user inside your organization forwards an external Microsoft Teams meeting invitation to an OTJ room resource in order to join the meeting from that endpoint). To enable users to join these meetings using OTJ, you must ensure that the security application's URL re-write rules include an exception for any URL starting with the domain https://teams.microsoft.com/

Checking calendar processing settings

The following PowerShell command can be used to check calendar processing settings on all of the rooms in the Distribution Group that was created for One-Touch Join.

We recommend copying and saving this as a file and running it from within PowerShell.

Before running, ensure that you edit $otj_group_id = "otjrooms@example.com" to use the email of the Distribution Group used in your own deployment.

Copy to clipboard

$deleted_subjects = @()
$organizer_added = @()
$deleted_bodies = @()
$private_flag_reset = @()
$not_auto_accept = @()
$process_external = @()
$otj_group_id = "otjrooms@example.com"

Get-DistributionGroupMember -Identity $otj_group_id -ResultSize Unlimited | ForEach-Object {
    Write-Host "Checking room '$($_.name)'"
    $processing = Get-CalendarProcessing -Identity $_.name
    $pass = $true
    if ($processing.DeleteSubject) {
        Write-Host "WARNING: The room '$($_.name)' is deleting the meeting subject" -ForegroundColor Red
        $deleted_subjects += $_.name
        $pass = $false
    }
    if ($processing.AddOrganizerToSubject) {
        Write-Host "WARNING: The room '$($_.name)' is adding the organizer to the meeting subject" -ForegroundColor Red
        $organizer_added += $_.name
        $pass = $false
    }
    if ($processing.DeleteComments) {
        Write-Host "WARNING: The room '$($_.name)' is deleting the meeting body" -ForegroundColor Red
        $deleted_bodies += $_.name
        $pass = $false
    }
    if ($processing.RemovePrivateProperty) {
        Write-Host "WARNING: The room '$($_.name)' is clearing the private flag on meetings" -ForegroundColor Red
        $private_flag_reset += $_.name
        $pass = $false
    }
    if ($processing.AutomateProcessing -ne "AutoAccept") {
        Write-Host "WARNING: The room '$($_.name)' is not configured to Auto Accept. Processing='$($processing.AutomateProcessing)'" -ForegroundColor Red
        $not_auto_accept += $_.name
        $pass = $false
    }
    # Optional permission for allowing the external invites:
    if ($processing.ProcessExternalMeetingMessages) {
        Write-Host "The room '$($_.name)' is configured to process external (forwarded) meetings"
        $process_external += $_.name
    }
    if ($pass) {
        Write-Host "INFO: All checks passed for room '$($_.name)'" -ForegroundColor Green
    }
}

Write-Host "Summary:"
Write-Host "There are $($deleted_subjects.count) rooms deleting the meeting subject"
    if ($deleted_subjects) {
        Write-Host $deleted_subjects -Separator ", "
        Write-Host ""
}
Write-Host "There are $($organizer_added.count) rooms adding the organizer to the meeting subject"
    if ($organizer_added) {
        Write-Host $organizer_added -Separator ", "
        Write-Host ""
}
Write-Host "There are $($deleted_bodies.count) rooms deleting the meeting body"
    if ($deleted_bodies) {
        Write-Host $deleted_bodies -Separator ", "
        Write-Host ""
}
Write-Host "There are $($private_flag_reset.count) rooms clearing the private flag on meetings"
    if ($private_flag_reset) {
        Write-Host $private_flag_reset -Separator ", "
        Write-Host ""
}
Write-Host "There are $($not_auto_accept.count) rooms not configured to Auto Accept"
    if ($not_auto_accept) {
        Write-Host $not_auto_accept -Separator ", "
        Write-Host ""
}
Write-Host "There are $($process_external.count) rooms configured to process external (forwarded) meetings"
    if ($process_external) {
        Write-Host $process_external -Separator ", "
        Write-Host ""
}

Enabling OAuth authentication

In this step, you enable OAuth authentication for the service account that One-Touch Join uses to log in to Exchange.

To use OAuth for the service account, you must create an app registration in Azure and then use the settings from this app registration when enabling and configuring the OAuth options within the One-Touch Join Exchange integration.

Create a new App Registration in Azure

Log into the Azure portal at aad.portal.azure.com.
From the main panel on the left, select Azure Active Directory.
Select App Registrations and then New registration:
In the Register an application panel, enter the following options:
1. Name: this can be anything you wish. In our example we have used Pexip OTJ App.
2. Supported account types: select Accounts in this organizational directory only.
3. Redirect URI: from the drop-down menu, select Public client/native (mobile and desktop). The URI must use the IP address or FQDN of the Management Node, in the format
  https://<Management Node Address>/admin/platform/mjxexchangedeployment/oauth_redirect/
  In our example we have used https://infinity.example.com/admin/platform/mjxexchangedeployment/oauth_redirect/
  You will need to enter this as the OAuth redirect URI when configuring a One-Touch Join Exchange integration.
  The OAuth redirect URI is the page on the Administrator interface to which the Pexip Infinity administrator will be returned after they have successfully signed in to the service account. Because it is a page on the Management Node, this URI is internal to your deployment and only needs to be accessible from the administrator's web browser; you do not need to make it externally accessible. This URI must be the same on Azure and Pexip Infinity in order for Azure to validate the sign-in request.
Select Register.

A new panel will open where you can configure your application.
From the panel on the left, select API permissions.
Select Add a permission.
From the Request API permissions panel, select APIs my organization uses, search for Office 365 Exchange Online and select it:
Select Delegated permissions, and from the Select permissions list, expand EWS and select Access mailboxes as the signed-in user via Exchange Web Services, and then select Add permissions:

Taking note of configuration

When you Configure the One-Touch Join Exchange integration and enable OAuth authentication for the service account, you'll need to provide the following information from Azure:

Application (client) ID: this was generated for you by Azure when you saved the App Registration:

You can find this again in Azure under Azure Active Directory > App registrations, under the Application (client) ID column.

You will need to enter this as the OAuth client ID when configuring the One-Touch Join Exchange integration.
Redirect URI: this is the URI you entered when creating the App Registration.

You can find this again in Azure under Azure Active Directory > App registrations, clicking on the app registration, and then clicking Redirect URIs.

You will need to enter this as the OAuth redirect URI when configuring the One-Touch Join Exchange integration.

You will also need to know the OAuth Endpoints to use. To find this information:

In the Azure Portal, select Overview > Endpoints.
Copy the URL of the OAuth 2.0 authorization endpoint (v1).

Ensure that you use the URL for ... endpoint (v1), not ... endpoint (v2).

You will need to enter this as the OAuth authorization endpoint when configuring the One-Touch Join Exchange integration.
Copy the URL of the OAuth 2.0 token endpoint (v1)

Ensure that you use the URL for ... endpoint (v1), not ... endpoint (v2).

You will need to enter this as the OAuth token endpoint when configuring the One-Touch Join Exchange integration.

Adding a One-Touch Join Exchange integration on Pexip Infinity

In this step you log in to the Pexip Infinity Administrator interface and add details of the Exchange deployment you are integrating with, including details of the service account and OAuth access (based on the configuration you have just set up in Exchange). You must then sign in to Exchange using the service account.

Configuring the Exchange integration

From the Pexip Infinity Administrator interface, go to One-Touch Join > OTJ Exchange integrations.

Option	Description
Name	The name of this One-Touch Join Exchange integration.
Description	An optional description of this One-Touch Join Exchange integration.
Service account username	The username of the service account to be used by the One-Touch Join Exchange integration. This is usually in the format name@domain.
Enable OAuth	Enable this option to authenticate the service account using OAuth 2.0. (This option is only supported for Exchange in Office 365.)
Enable NTLM	Leave this option disabled. (NTLM is supported for Exchange on-premises only.)
OAuth client ID	(Available if OAuth has been enabled) The Application (client) ID which was generated by Azure when creating an App Registration in Azure Active Directory (see Taking note of configuration).
OAuth redirect URI	(Available if OAuth has been enabled) The redirect URI you entered when creating an App Registration in Azure Active Directory. This must be in the format https://<Management Node Address>/admin/platform/mjxexchangedeployment/oauth_redirect/ The OAuth redirect URI is the page on the Administrator interface to which the Pexip Infinity administrator will be returned after they have successfully signed in to the service account. Because it is a page on the Management Node, this URI is internal to your deployment and only needs to be accessible from the administrator's web browser; you do not need to make it externally accessible. This URI must be the same on Azure and Pexip Infinity in order for Azure to validate the sign-in request.
OAuth authorization endpoint	(Available if OAuth has been enabled) The URL of the OAuth authorization endpoint (see Taking note of configuration). Ensure that you use the URL for ... endpoint (v1), not ... endpoint (v2).
OAuth token endpoint	(Available if OAuth has been enabled) The URL of the OAuth token endpoint (see Taking note of configuration). Ensure that you use the URL for ... endpoint (v1), not ... endpoint (v2).
Advanced options
Find Items Request Quota	The number of Find Item requests that can be made by OTJ to your Exchange Server in a 24-hour period. The default of 1,000,000 should be sufficient for most deployments — for more information, see Frequency of and limitations on calendar requests. We do not recommend increasing this quota unless you have deployed a dedicated One-Touch Join platform, because it will impact the performance of the Conferencing Nodes.
OTJ Exchange Autodiscover URLs
This section is optional and will generally only be required if the Autodiscover URLs in your deployment do not use a standard location.
Name	The name of this Exchange Autodiscover URL.
Description	An optional description of this Exchange Autodiscover URL.
Autodiscover URL	The URL used to connect to the Autodiscover service on the Exchange deployment. If you are using Office 365, you may need to enter your autodiscover URL manually, particularly if you are using a hybrid Exchange deployment. If your OTJ room resources and service account are hosted on O365, then you should enter https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc as the Autodiscover URL. The URL must end in .svc; URLs ending in .xml are not supported.

When you have completed the above fields, select Save. You will be returned to the main OTJ Exchange Integration page. You must now sign in to the Exchange integration using the service account details you have just created.

Signing in to the service account

If you have enabled OAuth for the first time, you must sign in to the service account after saving the configuration of the One-Touch Join Exchange integration.

You may also need to re-sign in to the service account if:

the service account password has changed
the service account uses multi-factor authentication (MFA) and the MFA is refreshed
you disable and then subsequently re-enable OAuth
you update any of the following configuration for the One-Touch Join Exchange integration:
- Service account username
- OAuth client ID
- OAuth token endpoint
the Management Node has been offline for more than 90 days.

To sign in to the service account:

Ensure you have signed out of all Microsoft accounts on your device, including the Microsoft Azure portal.
From the Management Node, go to One-touch join > OTJ Exchange Integrations, select the Exchange integration you have just created. At the bottom of the Change OTJ Exchange integration page, select Sign in to service account:

You will be taken to the Sign in to service account page.:
Copy the Sign in link and paste it into a new browser tab.
Sign in as the service account.

You are asked to permit the OTJ application to sign in as the service account, and to access the mailboxes that the service account has been granted access to. (The service account will only have access to the mailboxes of the OTJ room resources, if you completed the steps in Configuring Application Impersonation on the service accountIn this step, you create a new Distribution Group, and add the rooms to be used for One-Touch Join to the group. You then use PowerShell commands to make it so that the service account will only be able to impersonate members of that Group..)

If there is an option to Consent on behalf of your organization, do not select this — consent only needs to be given to the service account.
Select Accept.

You are returned to the Management Node.
You may be asked to sign in to the Management Node again. If so, you must sign in to the Management Node (using your Management Node credentials) to complete the process of signing in to the service account.

When complete, you are returned to the Sign in to service account page and see the message Successfully signed in.

Next steps

You must now configure the remainder of the One-Touch Join components on Pexip Infinity, as described in Configuring Pexip Infinity for One-Touch Join.