This document describes what data MazeMap accesses and what the data is used for when integrating the meeting room visualisation with Office 365 in MazeMap.
The Office 365 (O365) integration is used for room booking. In order to use it, a consent form must be completed: https://admin.mazemap.com/booking/office365/
In this consent form, MazeMap asks for access to:
Full access to user calendars - allowing MazeMap to create, read, update and delete events in user calendars. This is necessary to book a room with a user that is logged in.
Reading user’s basic profile (name, picture and username): This is used to provide a more personalized user experience. This information is only accessed for a signed-in user.
In more detail:
MazeMap retrieves free/busy availability information for a specified time period using https://docs.microsoft.com/en-us/graph/api/calendar-getschedule?view=graph-rest-1.0
Users’ calendar events for a specified time period are retrieved using https://docs.microsoft.com/en-us/graph/api/user-list-calendarview?view=graph-rest-1.0
Calendar events are created in the users’ calendars using https://docs.microsoft.com/en-us/graph/api/user-post-events?view=graph-rest-1.0
Here is a full list over all the Office365 API Calls*:
Getting availability (overview in map for specific point in time) + schedule for a single room for some time in the future (we use the timestamps, not the other information in the schedule items)
→ GET https://graph.microsoft.com/beta/users/{external_id}/calendar/getschedule
Booking a room anonymously (e.g. through kiosk)
→ POST https://graph.microsoft.com/beta/users/{external_id}/events
Booking a room with a user
→ POST https://graph.microsoft.com/beta/me/events
Cancel a reservation
→ DELETE https://graph.microsoft.com/beta/me/events
Get user reservations
→ GET https://graph.microsoft.com/beta/me/calendar/calendarView
Getting a token for MazeMap to authenticate with the external API for making future calls. Used in all flows.
→ POSThttps://login.microsoftonline.com/%7Bdomain%7D/oauth2/v2.0/token
User login. This endpoint is directly accessed from the client and starts an Oauth flow. The access token retrieved from this is used in following calls to MazeMap and MazeMap use the token on behalf of the user to authenticate when creating reservations.
→ GEThttps://login.microsoftonline.com/common/oauth2/v2.0/authorize
All access to these APIs are done using HTTPS.
The login flow is client side only. It does not go through MazeMap servers. The user gets prompted for a login flow from Office365 which returns an access token. This access token is stored locally in a cookie and used in calls to MazeMap when booking a room. The access token is forwarded directly to the Office365 APIs for booking a room (impersonation). During this whole process, the only thing MazeMap stores is whether the room was booked successfully or if any errors occurred. End users only see if a room is available or not and for what time it is available, not what the room is booked for and not the meetings’ participants.
*This list includes the API Calls which are currently in use in the application. They do not need updates when we change some of the calls later, because the purpose will be the same and the rights we request from both the customer and each user are the same. In the future some things may change though because:
Microsoft makes changes
We want to optimise the flow (faster alternative API calls doing the same action)
New requirements/ new features