Skip to main content

Security

Security is one of our top priorities and our cloud services are operated in Microsoft's state-of-the-art data centres.
Below you can see a simplified diagram of how Smartsign Room communicates as well as detailed information about the interactions and permissions required for the different calendar providers that we integrate with.
104300557

Microsoft 365

Smartsign Room uses the Microsoft Graph API to communicate with Microsoft 365 and authenticates using "modern authentication" (OAuth2).

It's possible to connect using either an Azure Enterprise App or using a service account with delegated access.

App connection

Using an app requires no additional license for Microsoft 365. The app runs on behalf of the tenant using application permissions.

The following permissions must be granted to the Smartsign Room App in your Microsoft 365 tenant. You need to be an admin to consent to these permissions on behalf of your organization.

  • Read and write calendars in all mailboxes
    • Every room calendar in Microsoft 365 belongs to a mailbox. It's not possible to request access to specific mailboxes which is why we must ask for all even though we only interact with the room mailboxes.
  • Read all users' full profiles
    • Each room mailbox has a user and it's not possible to request access to specific user profiles. We only interact with the room mailbox users.
  • Read all company places
    • Company places contains a list of all room mailboxes
  • Sign in and read user profile
    • Needed to be able to authenticate and login

Microsoft currently does not provide any means of excluding any resources from the application side, but it is possible to do from your own Microsoft 365 tenant.
Please review and follow Microsoft's official documentation to do so: https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access For reference, the app that you should apply the policy to is: d4924a86-3b0f-4a9a-9035-a8c9444b7833

Service account connection

Requires a Microsoft 365 license for the service account.

The service account needs delegate access with the permission "Full Access" to each room mailbox.

Service account also uses an app, but it runs it on behalf of the user instead of the tenant as a whole. For this reason an admin account may not be required to connect since the permissions needed are on behalf of the service account user only.

The following permissions must be granted to the Smartsign Room Service account App, for the service account user.

  • Read and write user and shared calendars
    • Allows the app to create, read, update and delete events in all calendars in the organization user has permissions to access. This includes delegate and shared calendars.
  • Read all users' basic profiles
    • This is the minimum access possible to be allowed to list "places" in the tenant, i.e. room calendars.
  • Maintain access to data you have given it access to
    • Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.

Google Workspace

Smartsign Room uses the Google Calendar API to communicate with Google Workspace and authenticates using OAuth2. This is the method recommended by Google.

To get the needed data using this method the following permissions must be granted to Smartsign Room in your Google Workspace tenant.

  1. A Domain Wide Delegation for Smartsign Room (Client Id 114082751795107497100) with the following OAuth scopes.
    1. https://www.googleapis.com/auth/calendar
      • To be able to read from calendars
    2. https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly
      • To list the available resource calendars
    3. https://www.googleapis.com/auth/calendar.events
      • To be able to manage events on calendars
  2. An account with access to the relevant calendars. We recommend using a generic/dedicated account. This account is then impersonated by Smartsign Room using a service account.
    • Option A: A super admin account, this account has access to all calendars and events automatically
    • Option B: A normal user account, permission must be granted to manage events on each calendar manually.