This article describes the steps needed to connect your own organisation in Thola to your own Azure AD / Office 365 Tenant. The result will be that all meetings will be created in your own tenant and not in the tenant of Thola.
Follow the next steps in Azure Active Directory
Create a new App Registration
Thola as an application needs to be recognized by the tenant it interacts with. This is done by registering Thola as an application (App Registration) in the tenant.
The name or description of the application can be anything the administrator likes. This registration will not be visually presented to the users. However this application does need the following Microsoft Graph permissions:
OnlineMeetings.ReadWrite.All: Needed to create online meetings (see Microsoft Docs )
Aside of the permissions Thola will require a valid secret for this application.
Steps to follow:
- Go to Azure Active Directory in the Azure Portal (https://portal.azure.com )
- Go to App Registrations
- Create a new registration
- Click on "+ New Registartion"
- Name: free to choose
- Supported Account Types: free to choose (we do not use this application for authentication users but you need to choose an option)
- Click Register and the details of the app registration will open
- Copy Tenant Id & Client ID to provide to Thola
- Give the required permissions
- In the left menu click on API permission
- Click on Add Permissions
- Select "Graph API"
- Select "Application permissions"
- Search for OnlineMeetings and select "OnlineMeetings.ReadWrite.All"
- Click on "Add Permission"
- Admin consent is required for this permission. Above the table you neen to click on "Grant admin consent for {tenantname}" and select "yes" in the dialog.
- Create a secret and share the secret with us
- Click on "Certificates & secrets"
- Click on "+ New client secret"
- Provide a description to know this token is for Thola
- Enter a description and a period of "24 months" (you can always substract the client secret to stop our access)
- Copy the value to provide to Thola
That is all you need to do in the Azure portal.
Create meeting organizer user
Online meetings in Teams require an organizer to create the meeting. This organizer can not be a guest to the tenant and needs to have a regular user with a licence for Teams. We suggest to create a service account and do not use a personal account because this person will have all automatic meetings in their history.
When creating this account please copy the ID of the user to provide to Thola. At this point we do not need a password from that user or access via an access policy to be able to create the online meetings.
Security considerations
Thola is set up to connect to the Graph API with an application (using ClientId and ClientSecret). This allows you as the Tenant owner to fine tune specific access to our application. By restricting the permission to the online meeting's category (OnlineMeetings.ReadWrite.All), Thola will not be able to access any other resource like Chats or Meetings.
Secondly for this permission there is a second level of security namely access policies (more info). Access policies contain the users for which online meetings can be created or can be queried. You need to specify at minimum one access policy in order for an application to access online meetings.
However, Thola only needs to create online meetings. It therefore doesn't need access to the online meetings of a specific person (the meeting organizer). The only requirement to create an online meeting is that it contains an organizer. This is an undocumented feature we discovered during development and are using it in corporation with Microsoft. Nevertheless, this feature is also part of their Beta endpoints and are subjected to possible changes when it is finally validated.
Remark: If the endpoint does not make it to the final version we are required to have access to the organizers online meetings. And this should be granted with an access policy. Keep in mind having access to online meeting does not grant us access to the content of any chat thread or to any video stream from that meeting.
Follow the next steps in Office 365 Teams Admin
In Teams we need a separate Meeting Policy with options only applicable on meetings that will be created by Thola. This separates our rights from the normal user rights in your Teams tenant. The options you would like to enable is depending on the security level you would like to set on these meetings. This can best be discussed in a separate meeting but we will already give instructions on what needs te be done regardless which rights you will set.
Steps to follow:
- Go to Teams admin dashboard (https://admin.teams.microsoft.com/dashboard )
- Click on "Meetings > Meeting Policies"
- Click on "+ Add" to create a new meeting policy
- Provide a meaningfull name so you know this is policy used by Thola
- You are free to add a description
- Set the meeting options depending on your choice.
- The most important settings for the "In Thola meeting experience" to work appropriate are:
- Allow "Anonymous users and dial-in callers can start a meeting"
- Set "Who can bypass the lobby " to "Everyone. It will impact the experience when one of the 2 options is set more restricted.
- To enable screensharing to work in the "In Thola meetings experience" this must be enabled as well:
- The most important settings for the "In Thola meeting experience" to work appropriate are:
- Click on Save
- Assign this newly created policy to the Teams user created as the Meeting organizer
- In the left pane click on "Users"
- Search for this user and click on the user to go to the details
- Click on policies
- Click on the "Edit" button
- In the panel "Edit user policies" change the Meeting policy to the newly created policy
- Click "Apply
Now the new policy is only used by the user that will be provided to Thola and we can only create meetings according the selected options. These optiosn can be changed without the need to contact us.
Setup in Thola
Currently, there is no User interface for updating this information. Please provide the information below to our technical team via support@thola.events and they will update this information for your organisation. The client secret will be stored in a secure Azure KeyVault and after a confirmation that all setup is ok we will remove the secret from other data stores like email.
In order to activate the external tenant we need:
TenantId: An guid identifier of the tenant to target
ClientId: The client guid with the correct permissions
ClientSecret: Previously created secret for the client
MeetingOrganiserId: The object id of the user
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article