Best practices for linking Alexa for Business with Microsoft Office 365
Alexa for Business integrates with popular calendar systems, including Microsoft Exchange, Office 365, and Google G Suite, to provide users with hands-free meeting experiences and room-booking capabilities. Several customers have asked for more details on the integration of Alexa for Business with their Office 365 setup.
This post describes the technical details about how Alexa for Business connects to Office 365. It also describes best practices for account linking when Office 365 is using conditional access policies, and common and often overlooked configuration settings.
Calendar integration in Alexa for Business
In the AWS Management Console, you can link your calendar system with Alexa for Business. After your calendar system is linked, you can associate your Office 365 resource calendars to the rooms you defined in Alexa for Business.
The calendar integration in Alexa for Business enables your users to join their scheduled meetings, check room availability, and find available meeting rooms by simply asking Alexa. The following diagram and steps describe how Alexa for Business interfaces with the calendar system.
- User asks Alexa to join their meeting.
- The Alexa Service processes the request, determines the intent, and routes it to the Alexa for Business conferencing service.
- The Alexa for Business conferencing service looks up the address of the resource calendar of the room where the request was made.
- The Alexa for Business conferencing service connects to Office 365 and reads the upcoming event from the resource calendar.
- Alexa for Business determines the dial-in information and prompts the user to confirm the meeting.
- After confirming, a call is initiated to connect the video conferencing system to the upcoming meeting.
Linking with Office 365
Alexa for Business communicates with your Office 365 calendar using the Microsoft Graph API. To call the Microsoft Graph API, Alexa for Business must acquire an access token from the Microsoft identity platform. The access token contains information about the app and the permissions it has for the resources and APIs available through Microsoft Graph.
To get the access token, you must complete the OAuth 2.0 authorization flow by linking your Office 365 account to Alexa for Business. Alexa for Business securely stores the access token and refresh token. The refresh token is used to acquire additional access tokens after the current access token has expired.
To link Alexa for Business to your Office 365 tenant, you can use one of the following two methods.
Method 1: Link with a service account using delegate access
You can create a new service account in your Office 365 tenant and link to your Office 365 by using this account. In the consent window that follows, Alexa for Business asks for permissions to access calendar information. After the account is linked, you must give the service account read and write access to each of the room calendars in which to deploy Alexa for Business.
Linking with a service account gives you fine-grained control over the calendars that Alexa for Business can access. To give the service account access to a room calendar, you can use the following PowerShell command.
Add-MailboxFolderPermission <room name>:\Calendar -User alexaforbusiness -AccessRights Editor
Method 2: Link with application permissions
You can also link Alexa for Business to your Office 365 tenant by using application permissions. This gives Alexa for Business permissions to all of the calendars in your Office 365 tenant.
To use this method, Office 365 requires a tenant administrator to sign in to complete the request. The administrator must consent to the following permissions that Alexa for Business requires. With this method, you don’t have to update any permissions when you deploy Alexa to more rooms.
Several enterprise customers have restricted access to their Office 365 tenant, and don’t allow users to consent to third-party applications accessing their data. In the account linking flow, users see a message to ask their admin to grant permission to this app before they can use it, or they see a permissions error.
To link the account in these setups, you can sign in with an administrator and select the check box to consent on behalf of the organization. After you have given consent for the organization, you can unlink the administrator account and sign-in with the service account user.
You can also assign the “Application developer” role to the service account and link using the service account. Users in this role can continue to register apps, even when the administrator has turned off the setting that allows users to register apps.
Resource mailbox configuration
To delight your users with a hands-free experience to join meetings, Alexa must be able to read the meeting dial-in information from the room calendar. To do this, save the body of the meeting invite. The default behavior in Exchange and Office 365 is to delete the entire contents of the message body when it arrives in the resource mailbox. You can change this setting with the following PowerShell cmdlet:
Set-CalendarProcessing -Identity <roomname> -DeleteComments $false
If you don’t change this setting for your resource calendars, Alexa can’t determine the meeting dial-in information and prompts you for your meeting ID.