Some of the technical content on this site is only available in English.

Email Calendar Invitations

How to configure Email Calendar Invitation for Azure Outlook in Salto IDM

In order to configure the Email Calendar Invitation Configuration to use Outlook, you will need to create a new App Registration in Azure, provision it with permissions and then fill in the credentials back into Salto IDM.

Step 1: Creating an Azure App Registration on your Azure AD tenant

  1. Navigate to the Azure portal - App registrations page.

  2. Either pick an existing application on the All applications tab, or select New registration.

  3. When the Register an application page appears, enter your application's registration information:

    • In the Name section, enter a representative name (for example Salto-IDM-Calendar-Integration-Production)
    • In the Supported account types section, select Accounts in this organizational directory only (Your Tenant Name only - Single tenant).
    • The Redirect URI (optional) section can be left empty, as our environment handles the redirection automatically.

    Azure app registration

  4. Click on Register to create the application.

To keep your registrations clean and isolated (which allows easier debugging and problem solving), please create separate App Registrations for different environments (for example Localhost, Production, Staging, etc.).

Step 2: Provisioning permissions on your App Registration

  1. Navigate to the API Permissions page within the App registration
  2. Click on Add a Permission
  3. On the panel that opens, click on Microsoft Graph, then click on Application Permissions
  4. Scroll down and look for the Calendars section and add Calendars.ReadWrite

Microsoft Graph calendar permissions

  1. Add another Microsoft Graph permission, but this time use Delegated Permissions
  2. Scroll down and look for the User section and add User.Read

Microsoft Graph user permissions

  1. After adding the permissions, click on Grant admin consent for your tenant, your Configured Permissions should look like this:

Configured API permissions summary

Make sure that Admin consent has been granted for the requested permissions and the green checkmark is showing on the right side of the table.

Step 3: Add a client secret

  1. Click on the Certificates & secrets tab and click on New client secret.
  2. Add a representative Description to your secret, and choose an Expiration according to your own security and maintenance rules.

Client secret creation

  1. Once you create the secret, make sure to copy the Secret Value (not the Secret ID), and store it in a safe place (for example password manager). Once you leave this page, you won't be able to see the value again, and if you don't save it, you'll need to re-create the secret.

Be aware that after the secret is expired, the integration won't work and you have to create a new secret and update it's value in Salto IDM.

Make sure to have a mechanism in place to alert you when the secret will expire to avoid login issues in production environments.

Certificates and secrets overview

  1. Click on the Overview tab and copy the Directory (tenant) ID (<TENANT_ID>)

  2. On the top search bar, search for "Microsoft Entra ID" and click on it

  3. Go to the Enterprise applications tab, search and click the App Registration you created on the previous steps, and on the Overview page that is displayed copy the Name (<APP_DISPLAY_NAME>), Application ID (<APPLICATION_ID>), and Object ID (<ENTERPRISE_OBJECT_ID>).

Enterprise application overview

  1. Create a new mailbox account (or use an existing one) and copy the email address (<EMAIL_ADDRESS>) that will be used by users when creating calendar events.

This step is important for the integration to work. This mailbox is used by the integration to detect any invitations sent by users and automatically generate visitor invitations into Salto IDM.

Make sure that this email is not used by any other integrations or with any other purposes.

The only requirement for the invitation integration to work correctly is that when an user is creating a calendar event, they should CC this email address in the calendar invitation.

Step 5: Run commands in PowerShell to register the mailbox

  1. Lastly, run the following commands one by one in PowerShell as Administrator (in Windows) to link the email address with the app registration we created on the previous steps.
bash 
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -OrganizationId "<TENANT_ID>"
New-ServicePrincipal -AppId "<APPLICATION_ID>" -ObjectId "<ENTERPRISE_OBJECT_ID>"
Set-ServicePrincipal -Identity "<ENTERPRISE_OBJECT_ID>" -DisplayName "<APP_DISPLAY_NAME>"
Add-MailboxPermission -Identity "<EMAIL_ADDRESS>" -User "<ENTERPRISE_OBJECT_ID>" -AccessRights FullAccess

Step 6: Create a new Email Calendar Invitation Configuration in Salto IDM

  1. Log into Salto IDM, navigate to Administration > Automations > Create Automation

  2. Choose the environment it should run for, add a name for the automation and mark it as enabled

  3. Choose Calendar Events as time schedule type, and choose how often it should check for new invitations (for example every 5 minutes)

  4. On the right side choose Outlook as protocol

  5. Enter the following details:

    a. Email address: Mailbox previously configured

    b. Timezone where the environment is running

    c. Application (client) Id: <APPLICATION_ID>

    d. Client secret (value): Secret (value) previously created

    e. Directory (tenant) id: <TENANT_ID>

  6. Click on Save, and you should be able to see a success message if everything is correct.

Outlook calendar integration configuration

Salto Systems, S. L. uses third-party data storage and retrieval devices in order to allow secure browsing and gain a better understanding of how users interact with the website in order to improve our services. You can accept all cookies by clicking the "Accept cookies" button or reject their use by clicking the "Reject cookies" button. For more information, visit our Cookies Policy