Enable Improved Sign-In Experience with Application Permissions

When you set up the application in Microsoft Azure for this integration by following the setup steps, you would have granted delegated permissions to the APIs required for the integration, such as Calendars.ReadWrite. These API permissions are needed so that sync and the add-in can access user’s emails, appointments, contacts, and tasks in Microsoft.

With delegated permissions, when your users' Microsoft token expires (90 days from last sign-in in the add-in), the sync fails with error until the users re-sign into the add-in.

If you want sync to continue seamlessly without your users needing to sign-in to the add-in every 90 days, then you can add application permissions for the APIs required for the integration to the application registered in Microsoft Azure.

After you give the extra application permissions to the application in Microsoft Azure, the standard sync scheduled process uses the permissions to sign in. The add-in, meanwhile, continues to use the existing delegated permissions.

Note: Only administrators can enable the application permissions.

After you give the extra application permissions, your users need to sign in to the add-in just once and then they don’t need to open the add-in again.

Add and Enable Application Permissions

To add and enable the application permissions for the add-in:

1. Add the application permissions in Microsoft Azure for the application you created for the Oracle Microsoft 365 add-in.
2. Enable application permissions in the Sales application.
3. Notify your users to sign into the add-in once.

Add Application Permissions in Microsoft Azure

1. Sign in to Microsoft Azure.
2. Open the application you registered for the Oracle Microsoft 365 add-in.
3. Go to the API Permissions tab and click Add a permission.
4. Select APIs my organization uses.
5. Search for Office and select Office 365 Exchange Online.
6. Click Application Permissions and add the permissions shown in this table:

   Permission	Option to Select
   Calendars	Calendars.ReadWrite.All
   Contacts	Contacts.ReadWrite
   Mail	Mail.ReadWrite
   Mailbox Settings	MailboxSettings.ReadWrite
   Tasks	Tasks.ReadWrite
   User	User.Read.All

7. Click Add Permissions.

8. On the API permissions page, select Grant admin consent for each permission you added to consent on behalf of users.

Enable Application Permissions in the Sales Application

1. In the Setup and Maintenance work area, use the Manage Microsoft 365 task:
   • Offering: Sales
   • Functional Area: Integrations
   • Task: Manage Microsoft 365
2. Under Synchronization Settings, enable the Enable Microsoft Application Permission option.
3. Click Save and Close.

Configure an Application Access Policy to Secure Your Mailboxes

Theoretically, any accounts using the application with the application permissions granted can gain access to all mailboxes in the Microsoft tenant that the application is for. However, Oracle Microsoft 365 sync processes – which uses this application – only uses the application to access users' mailboxes who have signed in to the add-in. The add-in doesn't use application permissions on the application; it only uses the delegated permissions.

Depending on your company's security requirements, you may want to further restrict this application to only certain users. For that, you can configure an application access policy before you enable the application permissions on the application.

Note: Configuring application access policy is optional and depends on your business' security requirements.

As a Microsoft Azure administrator, configure an application access policy:

1. Create a mail-enabled security group in the Microsoft Exchange admin center.
2. Create an application access policy in Microsoft PowerShell for the security group you created.

   The access policy restricts the scope of mailboxes that the standard sync process can access.

Create a Mail-Enabled Security Group

1. Sign in to the Exchange Admin Center at https://admin.exchange.microsoft.com/#/.
2. Navigate to Groups > Mail-enabled security.
3. Click Add a group, as shown in this screenshot:
   
   
4. In the Group type section, select Mail-enabled security and click Next, as shown in this screenshot:
   
   
5. In the Basics section, enter a name and description, and click Next, as shown in this sample screenshot:
   
   
6. In the Settings section, enter the group email address, and configure the following. The image shows the Settings menu, with the Edit settings page active. It also shows two check boxes in the Communication and Approval sections.
   1. Communication: Do not select the check box.
   2. Approval: Select the Require owner approval to join the group check box, as shown in the following screenshot.
      
      
7. In the Finish section, verify all the details, and click Create group, as shown in this example screenshot:
   
   
8. The mail-enabled security group you created shows up in the Groups list, as shown in this screen shot:
   
   
9. Next, you need to assign owners and add members to the group. To do that, click the group name.
10. On the Group Details window, click the Members tab.
    1. You are the owner of the group you created. If you want to add more owners, click View all and manage owners.
       The following screenshot shows the Limit Access window with the Members tab highlighted, along with the View and manage all owners link:
       
       
    2. On the Owners page, click Add owners, as shown in this screenshot:
       
       
    3. Select the group owners from the list and click Add, as shown in this screenshot:
       
       

       Click the back arrow to go back to the Members tab.

    4. Next, to the security group, add users you want to give a seamless access to. On the Members tab, click View all and manage members, as shown in this screenshot:.
       
       
    5. On the Members page, click Add members.
    6. Select the members from the list and click Add.

       Click the back arrow to go back to the Members tab.

11. Close the group.

    The mail-enabled security group is ready for use.

Create an Application Access Policy

1. Open Windows PowerShell.
2. Run the following commands in Windows PowerShell.
   • $UserCredential = Get-Credential

     On entering the command, a window to enter your Windows PowerShell administrator credentials appears. Enter the administrator credentials, as shown in this sample screenshot:.

     
     
     
   • Next, enter the command, $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection, , as shown in this sample screenshot:
     
     

     You get a prompt to enter your administrator credentials again. Enter them.

   • Next, enter the command, Import-PSSession $Session -DisableNameChecking, as shown in this sample screenshot:.
     
     
3. Identify the application's Application (client) ID and a mail-enabled security group to restrict the access to the application.
   Note: You can get the application's Application (client) ID from Microsoft Azure. Use the mail-enabled security group you just created, by following the steps provided in the section above, Create a Mail-Enabled Security Group.
4. Next, create an application access policy.

   Replace the arguments for App Id, Application ID registered with Microsoft Azure, PolicyScopeGroupId, the security group email address, and run the following command:

   • New-ApplicationAccessPolicy -AppId xxxxxxxxxxxxxxxxxxxx -PolicyScopeGroupId xxxxxxxxxxxxxxxxxx -AccessRight RestrictAccess., as shown in the following sample screenshot:
     
     

   It may take about 30 mins for your changes to reflect.

5. Test the newly created application access policy.

   Run the following command, replacing the arguments for Identity and App Id. Identity is the user’s email address added to the Security Group and AppId is the Application Id registered with Microsoft Azure.

   • Test-ApplicationAccessPolicy -Identity <Identify> -AppId <AppId>