This is a technical companion to our main Office 365 set up document and does not apply to anyone using a service account to connect with Office 365 instead.
When setting up Robin for the first time, you may wonder why a Global Admin is required to authenticate as part of the set up process. Especially if you're used to using delegate access to manually share permissions between accounts.
This is something we're happy to answer and welcome opportunities to show our security practices. Based on past conversations, this article shares a few clarifications others found useful.
More familiar with Exchange service accounts?
If you don't want to use the app method, you can also set up a service account for Robin instead.
The big idea
In order to sync calendars, Robin needs to install an integrated app onto your Office 365 account. In Office 365, only a Global Admin has the ability to install integrated apps. This is a great thing for security, and prevents any user from giving apps access to sensitive parts of your configuration.
What does the installed app do?
Robin uses this app as a gateway to manage room calendars and of the users involved in each room's meetings. You probably already have a few other services installed similarly, and can see a list of apps you have today via http://myapps.microsoft.com
"Why not only share access to the room calendars?"
Robin's scheduling tools are focused on room calendars, however we frequently have to update meetings on behalf of users where the room calendar is just one of several which needs updates. This "cascading" concept is a key part of how we manage calendars when both people and rooms are involved.
This is easy to visualize using Google Calendar. In this case we just edit the room's event and nobody else is updated:
But if you update the organizer's version it changes everywhere:
If you used a more explicit delegate approach, you'd quickly run into a problem of new employees having to share their personal calendars with the delegate and keep that list up to date to avoid "I deleted this event, why is it still on my calendar if the room is free?" moments.
As we continue to develop user-to-room and user-to-user scheduling tools, this permission becomes more and more important to successfully scheduling without creating confusing workflows for your users.
"Why does it ask for full access to all mailboxes?"
In short, there are three ways apps (like Robin) can authenticate with Exchange services:
- NTLM: One-way hash of username and password. Most secure way of storing credentials for on-premise Exchange.
- Basic: Plaintext username and password. This method is considered insecure and we don't support it with Robin.
- OAuth: Scoped token-based authentication standard, used by apps/services to request very specific rights for your account.
While we support NTLM for connect on-premise/hosted Exchange servers to Robin, Office 365 (via EWS) only supports OAuth and Basic authentication and not NTLM. If you see apps ask for just your O365 username and password to authenticate, it means they are using Basic authentication, and store your account password and username, which is a bigger security concern since the account info has to be decrypted on use when using Basic Auth..
Put another way, if you cannot connect to O365 through OAuth there's a considerable concern with security compromising via apps that allow you to sign in via Basic authentication. For this reason, we only support OAuth authentication at this time.
Using OAuth, we securely install the connector app onto your Office 365 account. For Office 365/EWS, Microsoft (for some inexplicable reason) requires that all OAuth apps request this permission. Robin does not use it. Once installed, the Robin app can only interact with your calendars.
"Why do you need global admin privileges just to manage room calendars?"
Happily, we don't.
Once the app is installed, the global admin account is no longer involved with managing calendars. To use a really extreme example: You could make a brand new Global Admin account, use it to install the Robin app, then delete the account entirely and Robin would still be good to go since the app is already active.
By installing the app, Robin does not gain the abilities of a Global Administrator in your organization. Similar to how creating a new user mailbox as the Global Admin does not transfer power to the user account simply because an admin is needed to complete the set up step.
Want to talk to a human?
If you have additional questions, you can call us (1-617-910-0454) or email our security engineering team directly email@example.com. You run a tight ship, and we want to help you keep it that way.
You can also read more about our security practices here.