Authorizing Robin's enterprise app in Microsoft 365

Connection Guide

This guide assumes you want to authorize Robin's Enterprise app in Microsoft 365 as a Global Administrator that will not also act as the service account. This process will allow users to "Sign in with Microsoft 365" without any ongoing connection to a Global Administrator.

1
From Robin’s web dashboard, go to Manage > Integrations > next to Microsoft 365 select Connect. 
2
Select Connect via Service Account as a method.
2024-02-01_11-54-45.png
3
On the pop up window, sign in as a Global Administrator to add Robin as a service principal in your Microsoft 365 tenant. This will allow you to manage user and group assignments directly inside Azure’s admin portal.
2024-02-01_11-49-07.png
Refer to the background on Understanding permissions with Microsoft 365 enterprise apps for more on why the Global Administrator is required for this step.

4

Remove the account from Robin, since we only needed it to approve the application initially. This will invalidate the tokens generated for your Global Administrator account, but leave the Service Principal within Azure AD. At this point, Robin has no access to your tenant, but you can now apply the correct settings within Azure.


2024-02-01_12-18-05.png
5
Optional: In Microsoft 365’s Azure Admin Portal, under “Enterprise Apps”, find Robin and enable “Require user assignment” to require explicit assignment before logging into Robin. 
o365-robin-enterprise-applications.pngo365-robin-user-assignment-required.png
6
Enable “Users can consent to apps accessing company data on their behalf” in Microsoft 365, which allows users with the required permission to log into their assigned Microsoft 365 apps.
As mentioned above, this setting only applies to applications the global administrator has explicitly authorized already. It does not grant users the ability to create new applications you haven't already approved. 
o365-robin-enable-user-sso.png
7
Assign the service account to the Enterprise App now listed in the Azure Directory within Microsoft 365. Optional: Assign a group policy instead.
o365-robin-service-account-access.png
8
In Robin’s web dashboard, connect the actual service account via Manage > Integrations using the service account method. Accept the authorization prompt when it appears.
9
Make sure the service account has impersonation access within Microsoft 365 for the calendars you would like it to manage, then connect the room calendars.
10
Calendars are now connected, and you’re ready to go. Any employees you assign to Robin in Microsoft 365 will also be able to log in, and those you haven’t explicitly assign will be rejected by Microsoft when attempting to authenticate.

Did this article help?