Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The MyTimetable Office 365 integration is able to connect to a user's calendar using the Outlook Calendar REST API. This page describes how to grant MyTimetable access to the Outlook Calendar REST API. MyTimetable will then be able to access calendars without explicit consent of a user.

...

  • Visit the Microsoft Azure Management Portal at portal.azure.com, using  using the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use.
  • Click Go to "Azure Activity Directory" in the left-hand menu
  • In the menu, click "App registrations".
  • Click "New application registration".
  • Enter the Name of the application (e.g. MyTimetable-prod).
  • Select "Web app / API" at "Application type".Enter a URL at "Sign-on URL". Any URL is possible, MyTimetable does not use this value'Accounts in this organizational directory only' as we currently only support single tenant apps.
  • Leave the Redirect URI empty.
  • Click "CreateRegister".

Image RemovedImage Added

Image RemovedImage Added

Your application is now registered with Azure AD. Proceed with the next step to specify the app permissions.

Step 2: Specifying app permissions

Next, we need to make sure the newly created app has the correct permissions to access user calendars.

Note

The "Read and write calendars in all mailboxes" application permission is described by Microsoft as "Allows the app to create, read, update, and delete events of all calendars without a signed-in user". Less restrictive scopes that allow MyTimetable to perform the operations required are not available at the moment. MyTimetable only reads, updates and deletes calendar events it has created itself, but this is something that is enforced in the synchronisation backend, not by Office 365. So while MyTimetable does not read, update or delete other calendar events, it does have the permissions to do so.

...

This permission can optionally be scoped to specific mailboxes by following the instructions at Scoping application permissions to specific Exchange Online mailboxes.

  • In the newly created application choose "API permissions".
  • Click "Add a permission"

...

  • .

Image Added

  • Choose "Microsoft Graph" > "Application Permission" > "Calendars" and tick "Calendars.ReadWrite".
  • Click "Select an APIAdd permissions"
  • Pick "Office 365 Exchange Online (Microsoft.Exchange)"
  • Click "Select"
  • Tick the box "Read and write calendars in all mailboxes".
  • Add another permission (required for older MTT versions), click "Add a permission" again.
  • Choose "Exchange" > "Application Permission" > "Calendars" and tick "Calendars.ReadWrite.All".
  • Click "Add permissions".
  • Click "Select"
  • Click "Done"

Image Removed


The default permissions for the Windows Azure Active Directory can be removed
  • Click "Windows Azure Active DirectoryUser.Read"
  • Click the "DeleteRemove permissions" button and confirm using "Yes, remove"

Image RemovedImage Added


Finally, we need to consent to the apps permissions on behalf of all users in the tenant, so users do not have to manually consentas this is required for application permissions.

  • Click the "Grant Permissionsadmin consent" button and confirm using "Yes"

Image RemovedImage Added

Anchor
generating-and-uploading-a-certificate
generating-and-uploading-a-certificate
Step 3: Generating and uploading a X.509 certificate

In order to enable service-to-service calls, a X.509 certificate needs to be configured and uploaded to Azure. 
  • If you are using MyTimetable managed hosting, Eveoh will provide you with a certificate to upload. If you are an on-premises customer you will need to create this certificate yourself by following:
    • We need to create a self-signed certificate. This can be done using the minimal openssl install found at https://files.eveoh.nl/openssl_min.zip (for Windows) or an OpenSSL install included in the OS (Linux). From the command line, create a self-signed certificate and enter a password (make sure to remember this), the university name, country and domain name of your MyTimetable instance (common name):
Code Block
languagebash
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -config openssl.cnf
  • Back in the Azure Management Portal, click the "Settings" button at the app that was created
  • Pick "Keys" in the menu that appears
  • Click "Upload Public Key"Certificates & secrets".
  • Choose "Upload certificate".
  • Upload the "cert.pem" file from Eveoh or generated in the first step.
  • Click "SaveAdd"
  • The key should now be visible under "Public Keys".

Image RemovedImage Added

Anchor
information-required
information-required
Information required for MyTimetable configuration

...

  1. Azure AD tenant name
  2. Application (client) ID of the registered app
  3. For on-premises hosting:
    1. Public key of the X.509 certificate (cert.pem)
    2. Private key of the X.509 certificate (key.pem)
    3. Password for the private key

...

MyTimetable requires the generated X.509 certificate and the corresponding private key to be available in a Java Keystore. The Eveoh support department can store the X.509 certificate and its private key into a Java Keystore for you. If you want to do it yourself, please follow these steps:

  • Save the X.509 certificate and the private key into the PKCS12 format using OpenSSL:
Code Block
languagebash
openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.pfx

...