Exchange calendar for admins

General information

Voice for Windows allows your organizations users to synchronize calendar data from Microsoft Exchange server.

Voice for Windows supports two different authentication methods:

  • Legacy authentication

  • Modern authentication

Users need to use the authentication method supported by your organization’s Exchange server. By default Voice for Windows tries to automatically discover the appropriate method to authenticate. In some cases, like when using older Exchange on-premise servers, the automatic discover might not work and user needs to manually select the authentication method in the Exchange calendar settings in Voice for Windows.

Application migration

Application settings are preserved between version updates so if your organization is updating from old versions of Voice for Windows and user has been using the Exchange calendar then the settings should be in the same condition after the update. This means also if you are going to move using the modern authentication and user has had the Exchange settings selected then user needs to change the Exchange calendar settings so that the modern authentication will be in use. Preferred way is to close the Additional settings in the Exchange calendar settings. This will set the Exchange settings in automatic discovery mode and will in most scenarios default to modern authentication.

Legacy authentication

This authentication method is the legacy method that supports the basic authentication and other legacy authentication methods to Exchange servers. This is usually needed to support authentication for on-premise Exchange servers. Users can continue to use this authentication method if organization supports it or modern authentication is not available. Legacy authentication is not recommended for Exchange Online (O365) and Exchange Hybrid on-premise use. Legacy authentication is implemented using the Microsoft Exchange Web Services Managed API library.

Modern authentication

This authentication method that is supported only for the Exchange Online (O365) and Exchange Hybrid on-premise use provides support for users to login with work or school accounts that are tied to the organizations AzureAD directory. With this authentication method the application will receive a authentication token that will be used for the Exchange Web Services connection. Authentication tokens default expire time is 1 hour and it will be refreshed during the application use, but depending on the usage policy set in the organizations AzureAD tenant, users might need to login again if the token gets expired or revoked. When user exits the Voice for Windows, the authentication token will be stored in the local token cache, meaning that next time the application is started the authentication token will be read from the token cache and user is automatically authenticated if the token is still valid. If authentication token is not valid anymore a login screen will be prompted for the user. When user logs out from the Voice for Windows then the token cache that stores the authentication token will be cleared. Effectively meaning that user needs to login again to the Exchange calendar. Modern authentication is implemented using the Microsoft Authentication (MSAL) library.

Setting up Azure tenant for Modern authentication

Application consent

Voice for Windows application needs to be added and consented into the AzureAD tenant when using the modern authentication method. The method for consenting the application into tenant will depend on how the AzureAD Enterprise Applications user consent settings are set.

Application consent: Do not allow user consent

When this is selected then organizations users cannot add or consent the application and it will require AzureAD Global administrator to add and consent the application for organizations use.

AzureAD Global administrator can consent the application with following ways to the organizations tenant.

  • Login with the Voice for Windows to the Exchange calendar using your AzureAD Global administrator credentials. The login process will then ask for you to consent the application and the application will be added to the tenants Enterprise Applications. During the consent process you can also select 'Consent of behalf your organization' which means that the application will be consented for the whole organization and not just your admin credentials. If this is selected then the organizations users will not be asked to consent the application anymore.

OR

  • Login with web browser using your AzureAD Global administrator credentials. The login process will then ask for you to consent the application and the application will be added to the tenants Enterprise Applications. For this you will need to know your tenantId where to add the application. The web browser link is as follow https://login.microsoftonline.com/{tenantId}/adminconsent?client_id={appId} where {tenantId} is your AzureAD tenant where the application will be added and {appId} is the Voice for Windows application. After the consent you might see a redirection error page. This is expected because Voice for Windows is configured as a desktop application and not as a web application.

Voice for Windows appId is 7cb1d12a-cffb-425a-8074-0da451d1efed

You might have to make additional configuration in the AzureAD tenant to consent the application for organization users if you did not select 'Consent of behalf your organization' during the login process or it was not available to be selected.

Application consent: Allow user consent for apps from verified publishers, for selected permissions

When this is selected then organizations users can consent the application. Following low impact permissions are minimum that needs to be selected.

With Admin consent requests that can be found in the Enterprise Applications user settings you can control that only admins can consent the application but user can request the consent during the login process. Admin will be notified when a consent is requested.

Application consent: Allow user consent for apps

When this is selected then any user in the organization can consent the application. This will mean that if the application does not yet exist in the tenants Enterprise Applications then it will be added there when a user consents the application.

Application permissions

During the application consent Voice for Windows will ask the following permissions

  • Access mailboxes as the signed-in user via Exchange Web Services

  • View users' basic profile

  • Maintain access to data you have given it access to

Mailbox access via Exchange Web Services is the only permission scope that application can use when using the Exchange Web Services connection. The other two permission are basic low impact permissions for the application to be able to authenticate.

© Enreach, Mannerheimintie 117, 00280 Helsinki, Finland
+358 40 450 3000, www.enreach.fi