Skip to content

Azure Active Directory with Exchange Online

Azure AD with Exchange Online application on Hire2Retire uses OAuth authorization for authenticating Azure AD and Exchange Online.

By linking your Azure AD and Exchange Online account with Hire2Retire, you can authorize RoboMQ to have a delegated access on your behalf to both applications. Hire2Retire needs the following permissions on your account to provide a seamless integration experience:

For Azure Active Directory

Service Provider Application

Scopes Explanation
User.ReadWrite.All Read and write all user's full profiles
Group.ReadWrite.All Read and write all groups
Directory.AccessAsUser.All Application requires this scope to reset their password.
offline_access Maintain access to data you have given it access to. When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.

Customer Owned Application

Scopes Explanation
User.ReadWrite.All Allows the user to read and update the user profiles without a signed in user.
Group.ReadWrite.All Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user.
Directory.ReadWrite.All Application requires this scope to reset their password.
User.EnableDisableAccount.All Grants the ability to enable or disable any user account within the Azure AD tenant.

For Microsoft Exchange Online

Feature Role Explanation
Azure AD Distribution List Distribution Groups Read and Write Azure AD distribution lists.
Mail-Enabled Security Groups Security Group Creation and Membership Read and write mail enabled security groups.
Shared Mailbox User Administrator Read and write on mailbox.

The specified permissions should be included in a role group that the service account is being assigned to.

Create a Connection

Azure AD Connection: Service Provider Application

You need to have an Azure Active Directory account before using Azure AD application on hire2retire.

Azure AD Connection Name

Figure 1. Service Provider Application Connection

On clicking the 'Link Account' button, you will be redirected to Microsoft Account Authorization screen. and then enter the account details to use the Azure Active Directory for this flow

Azure AD Sign In

Figure 2. Azure AD Sign In

One also need admin consent. After entering acount details you will be redirected to microsoft admin approval pannel, enter justification for requesting and click on Request approval.

Azure AD Sign In

Figure 3. Azure AD Sign In

From the Azure admin portal, click on Review permissions and consent option to approve the request

Azure AD Sign In

Figure 4. Azure AD Sign In

By allowing access, you are authorizing RoboMQ to access your AzureAD account and make changes based on changes in HR data.

Azure AD Connection: Customer Owned Application

You need to have application registered on your tenant & provide necessary permission required by Hire2Retire. Hire2Retire requires the following details to create a connection.

  • Azure National cloud - Select the specific national or regional instance of a cloud service, such as Microsoft Azure National Cloud, tailored to meet local regulatory and compliance needs.
  • Client ID - Application ID
  • Tenant ID - Unique identifier of the Azure Active Directory instance.

Navigate to the "Overview" blade within your registered application to locate both the Tenant ID and the Client/Application ID.

Customer Owned Application

Figure 5. Customer Owned Application connection

Exchange Online Connection

To establish Exchange Online connection, you need to have an Azure Active Directory service account existing in a role group with neccessary permissions mentioned above.

Azure AD with Exchange Online Connection Name

Figure 6. Azure AD with Exchange Online Connection set up

Here are the permissions requested by Hire2Retire from your Microsoft Exchange Online account:

Permission requested from Microsoft Exchange Online

Figure 7. Permissions requested from Microsoft Exchange Online