Azure AD with Exchange Online¶
Azure AD with Exchange Online application on Hire2Retire uses OAuth authorization for authenticating Azure AD and Exchange Online.
By linking your Azure AD and Exchange Online account with Hire2Retire, you can authorize RoboMQ to have a delegated access on your behalf to both applications. Hire2Retire needs the following permissions on your account to provide a seamless integration experience:
For Azure AD¶
Service Provider Application¶
| Scopes | Explanation |
|---|---|
| User.ReadWrite.All | Read and write all user's full profiles |
| Group.ReadWrite.All | Read and write all groups |
| Directory.AccessAsUser.All | Application requires this scope to reset their password. |
| offline_access | Maintain access to data you have given it access to. When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire. |
Customer Owned Application¶
| Scopes | Explanation |
|---|---|
| User.ReadWrite.All | Allows the user to read and update the user profiles without a signed in user. |
| Group.ReadWrite.All | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. |
| Directory.ReadWrite.All | Application requires this scope to reset their password. |
| User.EnableDisableAccount.All | Grants the ability to enable or disable any user account within the Azure AD tenant. |
For Microsoft Exchange Online¶
| Feature | Role | Explanation |
|---|---|---|
| Azure AD Distribution List | Distribution Groups | Read and Write Azure AD distribution lists. |
| Mail-Enabled Security Groups | Security Group Creation and Membership | Read and write mail enabled security groups. |
| Shared Mailbox | User Administrator | Read and write on mailbox. |
The specified permissions should be included in a role group that the service account is being assigned to.
Create a Connection¶
Azure AD Connection: Service Provider Application¶
You need to have an Azure AD account before using Azure AD application on hire2retire.
On clicking the 'Link Account' button, you will be redirected to Microsoft Account Authorization screen. and then enter the account details to use the Azure AD for this flow
One also need admin consent. After entering acount details you will be redirected to microsoft admin approval pannel, enter justification for requesting and click on Request approval.
From the Azure ADmin portal, click on Review permissions and consent option to approve the request
By allowing access, you are authorizing RoboMQ to access your AzureAD account and make changes based on changes in HR data.
Azure AD Connection: Customer Owned Application¶
You need to have application registered on your tenant & provide necessary permission required by Hire2Retire. Hire2Retire requires the following details to create a connection.
- Azure National cloud - Select the specific national or regional instance of a cloud service, such as Microsoft Azure National Cloud, tailored to meet local regulatory and compliance needs.
- Client ID - Application ID
- Tenant ID - Unique identifier of the Azure AD instance.
Navigate to the "Overview" blade within your registered application to locate both the Tenant ID and the Client/Application ID.
Exchange Online Connection¶
To establish Exchange Online connection, you need to have an Azure AD service account existing in a role group with neccessary permissions mentioned above.
Here are the permissions requested by Hire2Retire from your Microsoft Exchange Online account:
