Functionality
Our application currently offers Microsoft integration for two main functionalities:
- Synchronizing profile pictures from an Entra ID environment.
- Adding/Sending meeting requests to Entra ID users via the training module.
This integration is powered by Microsoft Graph, the default API platform for connecting to Entra ID environments.
Connection Options
We offer two different ways to connect BCS Epowerhr to your Entra ID:
1. Application Permission (MicrosoftGraphSecret)
- Grants access without a signed-in user.
- BCS Epowerhr interacts with Entra ID independently.
2. Delegated Permission (MicrosoftGraphPassword)
- Grants access on behalf of a signed-in user.
- Requires a user to authenticate.
- Multi-Factor Authentication is not allowed on this user.
For more details on permission types, visit: Microsoft Docs.
Remote Account Setup
To configure the integration, follow these steps:
1. Adding an External Account
- Navigate to the Admin section in BCS Epowerhr.
- Open the Remote Accounts page.
- Click Add New Remote Account.
- Choose the correct remote account type, for the application connection integration you have to choose "MicrosoftGraphSecret".
The setup for the delegated authentication can be found further in this article (2b. Delegated Connection Setup), in that case you need to choose "MicrosoftGraphPassword". - Enter a name for the remote account.
- Refer to the relevant section below to fill in the required fields.
2a. Application Connection Setup (for Application Permission)
- Open your Entra ID dashboard.
- Go to Microsoft Entra ID → Manage → App registrations.
- If an app for BCS Epowerhr already exists (under All applications), select it.
- Otherwise, create a new app registration.
-
Select the correct supported account type
---
-
- Select the app and copy the Tenant ID and Client ID. Paste these values in the corresponding fields of the remote account in BCS Epowerhr.
- Navigate to Manage → Certificates & Secrets:
- Add a new client secret.
- Enter a description and choose an appropriate expiration date (expired secrets break the integration).
- Copy the value of the client secret immediately after the creation, because afterwards you are unable to see/copy the value. In that case you will have to create a new client secret.
- Paste the value of the client secret in the corresponding field of the remote account in BCS Epowerhr.
- Add a new client secret.
- Navigate to Manage → API permissions to add the correct permissions:
-
For picture synchronization:
-
- Click Add a permission
- Select Microsoft Graph from the Microsoft APIs
- Choose Application permissions
- Search for the permission User.Read.All and select it
- Click on Add permissions
-
-
For meeting requests: Microsoft Graph → Application permissions → Calendars.ReadWrite
-
- Click Add a permission
- Select Microsoft Graph from the Microsoft APIs
- Choose Application permissions
- Search for the permission Calendars.ReadWrite and select it
- Click on Add permissions
-
-
Important remarks:
- Calendars.Readwrite grants access to all users' calendars in the tenant.
- If you want to restrict this access to only a specific user or mailbox, they need to create an Application Access Policy in their Azure environment. This can be done via the Exchange Online PowerShell module using the following steps:
-
-
- If asked which language to use, select PowerShell.
- On the next screen select "No storage" and select the subscription linked to the BCS Epowerhr application, after that click apply.
- Execute: "Connect-ExchangeOnline"
- After that, fill in the correct values in the next text and execute it:
-
- New-ApplicationAccessPolicy -AppId "the application id" -PolicyScopeGroupId "the mailbox account e-mail" -AccessRight RestrictAccess -Description "Restrict app only to mailbox the mailbox account"
-
- Now, with the permission given. BCS Epowerhr can only access the calendar of "the mailbox account e-mail"
-
-
-
For picture synchronization:
- An admin must approve the permissions.
- Lastly, in the remote account of BCS Epowerhr fill in a mailbox. This mailbox will be the owner of all meeting requests created and send by the BCS Epowerhr application to the training participants of the Outlook Meeting Requests.
2b. Delegated Connection Setup (for Delegated Permission)
- Enter the username and password in the respective fields of the remote account.
- Important: This account must not have multi-factor authentication enabled because we use this account in the background and for that to work, multi-factor authentication cannot be used.
- Click Save.
- A new button will appear – click it to proceed.
- Log in using the same user credentials (not a personal or admin account).
- Important: Make sure to log in with the same user that just has been filled in and NOT with another personal or admin account. If the option is shown to grant these permission for the whole organization, uncheck this option.
- Grant the required permissions:
- Read all users' basic profiles
- Full access to calendars
- Sign in as you
- Maintain access to authorized data
- View your email address
- Click on "Accept" (do not check "Consent on behalf of your organization")
- After granting permissions, you will be redirected to the Remote Accounts page, where a confirmation should appear.
- Depending on the configuration of your organization, it could be that another user with admin permissions has to approve your request.
Final BCS Epowerhr Setup
1. Enabling Picture Synchronization
- Navigate to Personnel Administration → Settings.
- Change the Microsoft Photo Synchronization setting to the newly created remote account.
- A service task must be created before the photo will be synced to BCS Epowerhr
2. Enabling Meeting Requests
- Navigate to Training → Settings.
- Set Training Invitation Type to MicrosoftGraph.
- Change the Exchange Invitation Synchronization setting to the newly created remote account.