Databeat Knowledge base

Integrations

Microsoft

Integrating DatabeatOMNI with Microsoft 365

In order to leverage the full potential of your DatabeatOMNI account with Microsoft 365 you will need to setup and configure the DatabeatOMNI - Business enterprise application. This article gives you an overview and guidance on how to do so.

Enhance your DatabeatOMNI experience with Microsoft 365

By integrating with Microsoft 365, DatabeatOMNI can link up with your Microsoft 365 resources and information, allowing you to display Power BI reports and dashboard on your Databeat Signage displays, store media files in SharePoint (rather than in DatabeatOMNI), view and interact with meeting room calendars on your Databeat Doorsigns or Databeat Booking, securely manage users, and so much more.

In order to take advantage of these features you'll need to set up and configure the DatabeatOMNI - Business enterprise application for your organization's specific use case.

The Enterprise Application was specifically designed to allow for secure communication and integration with your Microsoft 365 tenant from DatabeatOMNI using the Microsoft Graph API.

Below, you'll find a table of contents with relevant links and guidance to all the information you need about the integration, configuration, settings, permissions, and more.

Before you get started, please check out the section with General Information, answering the most commonly asked questions - hopefully providing you with the answers you're looking for right away!

Microsoft 365 integration fundamentals

Fundamentals:

Where to manage and configure the Microsoft 365 Integration Features
Microsoft Graph API Permissions required by DatabeatOMNI - Business enterprise

Microsoft 365 integration features

User Management:

How to streamline DatabeatOMNI User Management with Microsoft 365

- 1. Manual or automatic user registration
- 2. User Management through Microsoft 365 Groups

Calendar integration:

How to setup DatabeatOMNI for use with Databeat Doorsign and Microsoft 365

- 3. Display calendar information (Read)
- 4. Display and Touch booking (Read/Write)

Power BI

How to enable Power BI Integration in DatabeatOMNI

Teams & SharePoint

How to enable the Teams and SharePoint Integration in DatabeatOMNI

Administration

General information

Further on in this knowledge article, we have provided some general information about the DatabeatOMNI - Microsoft 365 integration and some answers to the most asked questions.

Basic understanding
Simplified Technical Overview of the Integration
Enabling Microsoft 365 integration features
Where do I find the Microsoft 365 Permissions Panel
About permissions
Restricting application permissions
Consent on behalf of your organization
Understanding the difference between Delegated and Application permissions

Basic understanding

Before you go into each of the specific features, configuration, permissions requirements, and more, it is a couple of things you should be familiar with before setting up the integration to help you on your way. It might get a little technical, but these are the most commonly asked or unclear topics for users.

1. You only grant the permissions you need based on the features you want to set up.

The permissions you grant will enable users to utilize a variety of DatabeatOMNI integration features for Microsoft 365, such as secure single sign-on (SSO) for users, user management functionalities, calendar integration access, Power BI integration, SharePoint and Teams integration, and features that streamline the administration of your DatabeatOMNI account.

2. Know the difference between Delegated Permissions and Application Permissions

There are two main types of permissions that can be requested by DatabeatOMNI, the difference between the two types is really important to understand before reviewing impact, granting or denying. Read more about the difference here from us or directly from Microsoft.

3. Setup and configuration is done in DatabeatOMNI, not Azure Portal.

Yes, you can manually add, edit and remove the Enterprise Application in your Azure Active Directory and PowerShell - but there is a simpler way.

The configuration of the Microsoft 365 integration should happen in DatabeatOMNI. Specifically in the Microsoft 365 permissions panel. Here you have everything you need to configure it and the requested permissions will be limited to the exact permissions pr. feature. We built it for you to make the setup and configuration as simple and hassle-free as possible.

4. The Graph API permissions are categorized on a general level - use policies to limit the app

It's not advisable to grant an Enterprise Application more permissions than it needs. However, the permissions that an integrator like Databeat can request may not be as specific as you require. For instance, it's not necessary to grant a "Read/Write all Calendars" for your entire organization when the Enterprise Application only needs to access and edit one particular resource, like a meeting room calendar. This is solved either by creating restrictive application policies after granting permission or by using Service Users linked to devices. Please check out the article on how to restrict DatabeatOMNI's application permissions if this seems relevant to you.

Simplified Technical Overview of the Integration

For a quick visual representation of the integration, check out the simplified overview provided here. If you require a more detailed understanding or have additional questions, please feel free to contact us for further assistance. Note that you can access more detailed documents and agreements directly in your DatabeatOMNI account.

Enabling Microsoft 365 integration features

Other than the user-friendly and secure single sign-on feature (SSO) you set up by simply logging into DatabeatOMNI with a user Microsoft 365 user, you can integrate with your Microsoft 365 tenant in many other ways. To enable any of these integrations, go to the Microsoft 365 Permissions panel in DatabeatOMNI.

The Microsoft 365 Permissions panel will allow you to enable or disable each feature directly. If enabling a setting requires more permissions than what is currently configured, you will be requested to grant the delegated and/or application permissions necessary for the feature to work.

To approve the request directly you can authorize it as an administrator. If you do not have the necessary credentials you may be allowed to request an administrator to approve or you must contact your Microsoft 365 administrator or your IT department.

Where do I find the Microsoft 365 permissions panel?

Calendar Integartion Icon in DatabeatOMNI Locations

After signing into DatabeatOMNI as a Super User or Administrator, select the Locations tab and you should see a Calendar Integration Icon if nothing is configured on your DatabeatOMNI account.

Learn more about the DatabeatOMNI Microsoft 365 Permissions Panel.

If an integration is already set up, a third-party icon will be displayed. I.E. a Microsoft 365 logo if a Microsoft 365 tenant domain is linked.

Next up, Select the Microsoft 365 icon.

About permissions

First of all, you should feel comfortable knowing the difference between delegated permissions and application permission. Check out our article here if you are unsure.

You should also note that Enterprise Applications can be granted permissions to your organization and its data by three methods:

An admin consents to the application for all users
A user grants consent to the application
An admin integrating an application and enabling self-service access or assigning users directly to the application.

Still curious?

Microsoft provides a lot of information about Enterprise Applications, Microsoft Graph API, permissions, integration, management, and more in their learning center.

Learn more about the consent experience for applications in Azure Active Directory.

Consent on behalf of your organization

"If you accept, this app will get access to the specified resources for all users in your organization. No one else will be prompted to review these permissions."

As an administrator you can grant consent on behalf of all users in this tenant, ensuring that end users will not be required to consent when using the application. Click the button below to grant admin consent.

Understanding the difference between Delegated and Application permissions

In short, delegated permissions are permissions granted to applications like DatabeatOMNI to perform specific tasks on behalf of a user.

On the other hand, application permissions are granted to applications themselves, allowing the application to access and perform broader actions within the Microsoft 365 environment, without the need for a logged-in user.

Tip: Learn more about the difference between Delegated and Application permissions.

Microsoft can help visualise this concept and explain more on learn.microsoft.com.
Check out their introduction to permissions and consent

Source: https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview#access-scenarios

Restricting application permissions

DatabeatOMNI should not be allowed to book all calendars in your organization, but only the specific resource calendars you want it to book. To restrict the application permissions given to the DatabeatOMNI - Business app you can create internal policies, only allowing specific calendars or a group of resources to be booked by DatabeatOMNI. If this seems relevant, then check out the article: How to restrict DatabeatOMNI's application permissions.

Managing your DatabeatOMNI - Business Enterprise Application

As a Microsoft 365 tenant administrator, you can check out the Microsoft Entra admin center (AAD admin portal) to review your organization's current settings and policies for the "DatabeatOMNI - Business" enterprise application.

To learn more about Enterprise applications and management check out Microsoft's documentation on How to review permissions granted to enterprise applications

The app is registered as an enterprise application called "DatabeatOMNI - Business" located under Applications/Enterprise applications/DatabeatOMNI - Business.

2. Done

3. Calendar Read Only

Application permissions

Read all company places
Allows the app to read company places (conference rooms and room lists) for calendar events and other applications, without a signed-in user.

Read all users' full profiles
Allows the app to read user profiles without a signed in user.

Read calendars in all mailboxes
Allows the app to read events of all calendars without a signed-in user.

Sign in and read user profile
Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

Delegated permissions

Read and write organization places
Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user.

Read and write all users' full profiles
Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

Have full access to user calendars
Allows the app to create, read, update, and delete events in user calendars.

Maintain access to data you have given it access to
Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.

Note that the Calendar integration requires both Application and Delegated Permissions. Please contact us if you have are interested in rather using a Service User.

4. Calendar Read/Write

Application permissions

Read all company places
Allows the app to read company places (conference rooms and room lists) for calendar events and other applications, without a signed-in user.

Read all users' full profiles
Allows the app to read user profiles without a signed in user.

Read and write calendars in all mailboxes
Allows the app to create, read, update, and delete events of all calendars without a signed-in user.

Delegated Permissions

Sign in and read user profile

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

Read and write organization places
Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user.
Read and write all users' full profiles
Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

Have full access to user calendars
Allows the app to create, read, update, and delete events in user calendars.

Note that the Calendar integration requires both Application and Delegated Permissions. Please contact us if you have are interested in rather using a Service User.

Tip: Check out the Mailbox application permission limitation article

4. Power BI

Delegated Permissions

View all dashboards

The app can view all dashboards for the signed in user and any dashboards that the user has access to.

View all datasets

The app can view all datasets for the signed in user and any datasets that the user has access to.

View all reports
The app can view all reports for the signed in user and reports that the user has access to. The app can also see the data within the reports as well as its structure.

View all workspaces
The app can view all workspaces that the signed in user has access to.

5. Teams & SharePoint

Delegated Permissions for the Teams and SharePoint integration feature

Delegated PermissionsSign in and read user profile
Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

Read the names and descriptions of teams

Read the names and descriptions of teams, on behalf of the signed-in user.

Create, edit, and delete items and lists in all site collections
Allows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user.

Tip: A Databeat Signage player accessing SharePoint will require a Service User that has access to SharePoint and the 6. Admin permissions as well to assign the Service User.

6. Admin

Delegated Permissions Delegated Permissions for the Admin integration feature

Read all groups
Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.

Read and write group memberships
Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted.

Read and write organization places
Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user.

Have full access to user calendars
Allows the app to create, read, update, and delete events in user calendars.

What to do if you have DatabeatOMNI login issues or logging in for the first time with a Microsoft 365 user

This article helps you sign into DatabeatOMNI with a Microsoft 365 user for the first time or when you are not allowed or have issues logging in with a Microsoft 365 user.

First-time and basic requirements

When signing in for the first time, DatabeatOMNI will attempt to match and verify your email and login credentials with your organization's Microsoft 365 tenant. Based on your user's role you might experience different scenarios and if you are not sure how to proceed, this article is for you.

You should know that in order to successfully log into DatabeatOMNI with a Microsoft 365 user, your organization must authorize the use of the DatabeatOMNI - Business Enterprise Application in your Microsoft 365 tenant and grant you the right to use it. This requires approval from a Microsoft 365 administrator, whether it be you, a partner managing Microsoft 365 for you, or an internal IT department.

2. Permissions requested

Need approval from Administrator

Successful login

If you are not prompted with the Permission request page it is because the permissions are already granted for your user.

Accepting the required permissions

Sign up Enterprise application - Sign in permissions requested by Microsoft Accepting these permissions means that you allow the DatabeatOMNI app to use your data as
specified in their terms of service and privacy statement. You can change these permissions at https://myapps.microsoft.com. Microsoft is not involved in licensing this app to you.

Maintain access to data you have given it access to (offline_access)
"Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. This is a permission requested to access your data in Databeat Net AS."

Resource application: Microsoft Graph

Claim value: offline_access

Permission display name: Maintain access to data you have given it access to

Permission description: Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.

Permission type: Delegated. Delegated type means that this application may act on behalf of a user as the user him or herself for this particular permission.

Resource application: Microsoft Graph

Claim value: User.Read

Permission display name: Sign in and read user profile

Permission description: Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

Permission type: Delegated. Delegated type means that this application may act on behalf of a user as the user him or herself for this particular permission.

Read all users' basic profiles

Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo.

Resource application: Microsoft Graph

Claim value: User.ReadBasic.All

Permission display name: Read all users' basic profiles

Permission description: Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo.

Permission type: Delegated. Delegated type means that this application may act on behalf of a user as the user him or herself for this particular permission.