This article will cover preparing M365 using Graph APIs for and scoped permissions for Humly Control Panel integration.
Note:
M365 Global Admin permissions are required to complete the preparation.
Scoped Application Permissions (Advanced)
This section will prepare Microsoft Entra for the Humly Control Panel. First, you need to register a custom application. This process can be done from the Microsoft Entra admin center or PowerShell. We will go through the setup using the Entra Admin Center in the next steps below. If you prefer to do everything from PowerShell, skip everything and head to PowerShell.
Here is the process flow of creating the application, creating the needed groups, and assigning the required permissions
1. Log in to the Microsoft Entra admin center. To register an HCP application in Azure, click on App Registration to open the application registration blade, then click New Registration.
2. Select the name for your application and click Register
3. Once the application is created, the summary page should appear; make a note of the Application (client) ID and Directory (tenant) ID, as it will be needed later when connecting the Humly Control Panel to Microsoft 365
4. Go to Enterprise Apps section, search the app you created in the previous steps (Register an application), go to its properties and Object ID from there (this is different from the object id from “App Registration” page).
Save this as “Object Id” for use with Exchange PowerShell in the coming steps. 
5. SSO Setup
Note: The SSO setup is optional; if you are not planning to use SSO with the Humly control panel, you can skip this step and continue to step 6 (Configuring the client secret)
If you want to allow login using single sign on SSO, you should whitelist your Humly Control Panel URL in the application, you can do this by heading to Authentication, then click Add a platform and select Single-page application. Type in your cloud URL or on-prem URL followed by /sso/redirect, and click Configure. examples below
Examples for the Single-page application redirect URI:
https://XXXXX.humly.cloud/sso/redirect (Replace XXXXX with your cloud ID)
https://localhost:3002/sso/redirect
https://hcp-server-url:3002/sso/redirect (Replace hcp-server-URL with your server FQDN )
6. Configure Client secret by clicking on Certificates &, secrets then click New client secret, enter the description you want in the newly opened blade, and set the expiry as per the policy you have. Please note that the secret should be valid for HCP to work, once expired, meetings from Microsoft to Humly control panel will stop syncing so you will have to replace the expired client secret with a new one and reauthenticate once again to Microsoft.
- Only client secret Value is supported with Humly integration. Secret ID is not supported and will give you an error when trying to connect.
- HCP will stop syncing with Microsoft 365 once the secret key is expired, make sure you select the correct expiry time and renew the key before it do expire.
7. Go to the App registration and select API permissions setting and click the Add a permission button, then select Microsoft Graph
8. In the permission selection page, select Application Permission, which will open the list of permissions for application access. Search for and check mark User.Read.All and click add permission.
Repeat the same step again, search for and check mark Group.Read.All then click add permissions.
If you are planning to use the User Groups to Restrict Single Sign-On, please check out the required API permission in this document.
If you do not want to limit the "Group.Read.All" permissions to specific groups, please use Azure Application Access Policies.
Application Access Policies
Please note that access should be granted to any group that will be used in the Humly Control Panel, such as resources, senders, Visitor groups, and others.
Resources and Senders Groups
In this section, we will create two Mail Enabled Security Groups or Microsoft 365 groups in the Microsoft Entra admin center. The first group is for all resources (Rooms, Desks, and Parking spaces) that we want to allow to be added to the Humly Control Panel. The second group is for the account that can send email notifications related to the Humly Control Panel functions. If you prefer to do everything from PowerShell, skip this section and head to PowerShell.
1. Create a Resources Group: The example below shows how to create your Mail-Enabled Security Group.
In the Exchange Admin Center, select groups and click Add Group.
Choose Mail-Enabled Security for the group type, and click next.
Add a group name of your choice, and optionally add some description. Then click next.
Assign a group owner; the owner could be any account. Click next
Add members to the group, which could be a room, desk, and/or parking resources.
Note: Please note that you should add all resources you plan to use in the Humly Control Panel to this group.
After adding a new member to the group, the permissions might take up to 2 hours to apply.
The group is created and ready to be used.
2. Now that the group is created and the resources have been added, go to Microsoft Entra
Find the group you created by searching for its name. Copy the resource group Object ID. This object ID will be used later in the service principle creation section.
3. Create Senders Group: Repeat the previous two steps, but instead of adding resources, add the users you want to use in the Humly Control Panel for sending email notifications. One user should be enough, but you can add more if you want.
Collect the Object ID for the Senders group as well, it will be needed later in the service principle creation section.
Application Role Based Access Control
In this section, we will create a service principle and assign the permissions to the groups we have created in the previous section.
Please make sure you have up to date PowerShell and you have exchange online module installed. for more information please check the link on how to connect to exchange online PowerShell
https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell
1. Connect to Exchange Online
Set-ExecutionPolicy RemoteSigned
Replace the <UPN> by the office global admin account, an example below:
Connect-ExchangeOnline -UserPrincipalName support@humly.dev
2. Create a service principle by doing the below cmdlet, replace the AppId by the application ID you have created in this step . And replace the AppObjectId by the object ID from this step , the application name can be any name you prefer.
New-ServicePrincipal -AppId <<AppId>> -ObjectId <<AppObjectId>> -DisplayName "Some Display Name"
3. Create a management role assignment for the resources group, replace the AppId by the application ID you have created in this step . Replace the CalendarObjectID by the calendars group object ID which you have created in this step
New-ManagementRoleAssignment -App <<AppObjectId>> -Role "Application Calendars.ReadWrite" -RecipientGroupScope <<CalendarObjectID>>
4. Create a management role assignment for the senders group, replace the AppId by the application ID you have created in this step . Replace the SenderObjectID by the senders group object ID you have created in this step.
New-ManagementRoleAssignment -App <<AppObjectId>> -Role "Application Mail.Send" -RecipientGroupScope <<SenderObjectID>>
Now you should be able to proceed to the next step of installing and configuring Humly Control Panel