Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document describes what data MazeMap accesses and what the data is used for when integrating the meeting room visualisation with Office 365 in MazeMap.

The Office 365 (O365) integration is used for room booking. In order to use it, a consent form must be completed: https://admin.mazemap.com/booking/office365/

Image RemovedImage Added

In this consent form, MazeMap asks for access to:

  • Full access to user calendars - allowing MazeMap to create, read, update and delete events in user calendars. This is necessary to book a room with a user that is logged in.

  • Reading user’s basic profile (name, picture and username): This is used to provide a more personalized user experience. This information is only accessed for a signed-in user.

 

In more detail:

Here is a full list over all the Office365 API Calls*:  

  • Getting availability (overview in map for specific point in time) + schedule for a single room for some time in the future (we use the timestamps, not the other information in the schedule items)

→ GET https://graph.microsoft.com/beta/users/{external_id}/calendar/getschedule

  • Booking a room anonymously (e.g. through kiosk)

→ POST https://graph.microsoft.com/beta/users/{external_id}/events

  • Booking a room with a user

→ POST https://graph.microsoft.com/beta/me/events

  • Cancel a reservation

→ DELETE https://graph.microsoft.com/beta/me/events

  • Get user reservations

→ GET https://graph.microsoft.com/beta/me/calendar/calendarView

  • Getting a token for MazeMap to authenticate with the external API for making future calls. Used in all flows.

→ POSThttps://login.microsoftonline.com/%7Bdomain%7D/oauth2/v2.0/token

  • User login. This endpoint is directly accessed from the client and starts an Oauth flow. The access token retrieved from this is used in following calls to MazeMap and MazeMap use the token on behalf of the user to authenticate when creating reservations.

→ GEThttps://login.microsoftonline.com/common/oauth2/v2.0/authorize

All access to these APIs are done using HTTPS.

The login flow is client side only. It does not go through MazeMap servers. The user gets prompted for a login flow from Office365 which returns an access token. This access token is stored locally in a cookie and used in calls to MazeMap when booking a room. The access token is forwarded directly to the Office365 APIs for booking a room (impersonation). During this whole process, the only thing MazeMap stores is whether the room was booked successfully or if any errors occurred. End users only see if a room is available or not and for what time it is available, not what the room is booked for and not the meetings’ participants.

*This list includes the API Calls which are currently in use in the application. They do not need updates when we change some of the calls later, because the purpose will be the same and the rights we request from both the customer and each user are the same. In the future some things may change though because:

  • Microsoft makes changes

  • We want to optimise the flow (faster alternative API calls doing the same action)

  • New requirements/ new features