SAP Knowledge Base Article - Public

2978862 - Interview Scheduling Outlook Integration Using Modern Authentication - Recruiting Management

Symptom

Prior to Second half 2020 release, Interview Scheduling with Outlook Integration (ISOI) only supports Basic Authentication as it primarily uses Exchange Web Services.

As of 2H 2020 release, Interview Scheduling Outlook Integration now supports integration with Microsoft Exchange Online and Microsoft Office 365 using Modern Authentication. Exchange Online supports this integration with or without multifactor authentication enabled.

SAP SuccessFactors Recruiting will still support the Basic Authentication for Outlook Integration as long as Microsoft is still supporting it.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors Recruiting Management

Resolution

Before enabling Exchange online and to know the pre-requisites, please review these links below:

Technical Details for Interview Scheduling Outlook Integration Using Modern Authentication
Integrating Interview Scheduling with Microsoft Office Outlook Using Modern Authentication

NOTE: There are two types of authentication available for service principals: password-based authentication (application secret) and certificate-based authentication.  As of 2H 2020 release, Interview scheduling with Outlook Integration that uses Modern Authentication only supports password-based authentication which is through creating a new application secret.


Steps on enabling Interview Scheduling with Outlook Integration and using Modern Authentication: 

  1. Login and access "Set Up Interview Scheduling Outlook Integration" admin page
  2. A new radio button 'Exchange Online' is displayed
  3. Select Exchange Online
  4. Fill in all the configuration details (the details will come from azure portal which requires engagement of your internal Exchange / System or Network Admin)
    Application (client) ID: The unique application or client ID assigned to your application registered in Azure Active Directory. You can find this information on your application registration page on the Azure portal.
    Client Secret: The client secret value you generated for your application in Azure Active Directory. This value is the password used by the application to authenticate with the Microsoft identity platform when requesting for a token.
    Directory (tenant) ID: The globally unique identifier (GUID) that is different than your organization name or domain. You can find this information on your application registration page on the Azure portal.
    Email ID: The email ID of the Service Account associated with your application registered in Azure Active Directory, for example: Interview.Scheduling@customerdomain.com.
    Azure AD Endpoint: The endpoint URL of the Service Account associated with your application registered in Azure Active Directory. By default, this field contains the URL for public cloud: https://login.microsoftonline.com.
    NOTE: Ensure that you grant admin consent for the following Graph API permissions for sending or receiving emails, and accessing the calendars of organizers and interviewers:

    Delegated Permissions:
    Calendars: Calendars.Read.Shared, and Calendars.ReadWrite.Shared

    Application permissions
    :
    Calendars: Calendars.Read, Calendars.ReadWrite
    Mail: Mail.ReadWrite and Mail.Send
  5. Click on 'Verify' which is present in Test Connection section
  6. If connection is successful, click on  "Establish Outlook Integration for Interview Scheduling" check
  7. Click on Save button at the bottom of the page
  8. Click on Ok on the Confirm pop up

  9. After successfully saving the Exchange Online configuration, you can also see that Exchange Web server (Basic Authentication) is already been grayed out which means that we cannot revert back to Exchange Web server option after enabling Exchange Online:


Security Considerations

Due to varying use cases that Interview Scheduling requires - involves create, send , update and delete meeting requests along with checking the availability of the interviewers and organizers , the integration requires Application permissions for Calendars.read and Calendars.read.write. But, if the customers want to read about these permissions and their respective use case they can go through.
The Microsoft Permission guide: https://docs.microsoft.com/en-us/graph/permissions-reference explains all these permissions in details which explains that no user details can be accessed directly.

Also, to control mailbox and calendar access of an app that has been granted the application permissions in question, it can be done from the Azure application portal side by creating dynamics groups and 
allowing mail-enabled or calendar enabled security group to restrict the app’s access to individual or groups. Refer: https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access. This can be done for each of these application permissions. Customers can go through this documentation provided from Microsoft to add any extra layer of security from their side.

 

See Also

2271568 - Outlook Integration for Interview Scheduling

Keywords

b2011 outlook integration, Basic Authentication, OAuth interview scheduling,  OAuth 2.0, azure, RCM-70148 , KBA , LOD-SF-RCM-IVW , Interview Central, Interviews, Scheduling etc , How To

Product

SAP SuccessFactors Recruiting all versions

Attachments

Pasted image.png
Pasted image.png