Plantronics + Polycom. Now together as Poly Logo

OTD service account - needs admin approval

SOLVED
LKVer
Valued Contributor

OTD service account - needs admin approval

Hi.

 

I'm currently with a problem where after logging in to OTD portal with service account, I want to integrate OTD with O365 via that Service Account.

 

According to info provided here:

https://rc-docs.plcm.vc/docs/permissions#connect-with-service-account 

 

There should be a window asking to accept those permissions. However in this case I'm only getting:

Need admin approval

Polycom One Touch Dial Service needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

 

How to grant that one account required permissions? Or show that windows? I've even been trying to do it somehow via Azure AD, but no luck. Customer really wants to keep it secure and limit data access for that account. So integration as an Application is out of scope for now.

 

Any help is appreciated

 

Lukasz

Message 1 of 8
1 ACCEPTED SOLUTION

Accepted Solutions
jschertz
Polycom Employee

Re: OTD service account - needs admin approval

This article explains how you can approve that application request in a tenant where users cannot approve app requests themselves:

http://blog.schertz.name/2020/04/enterprise-application-consent-requests-in-azure/

 

In addition I would recommend using the "As an Application" approach instead of "As a Service Account".  This article explains in detail what the current best practices are for the Poly OTD Service:

http://blog.schertz.name/2020/09/poly-one-touch-dial-service-with-exchange-online/

 

-----------
Jeff Schertz - Principal Microsoft Solutions Architect [Blog]

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.

View solution in original post

Message 7 of 8
7 REPLIES 7
LKVer
Valued Contributor

Re: OTD service account - needs admin approval

Just to mention one more thing. User consent setting is turned on according to this info:

https://docs.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide#turning-u... 

Message 2 of 8
Adam in DC
Valued Contributor

Re: OTD service account - needs admin approval

If I'm interpreting your question correctly, I suspect the issue is that you need to be an O365 Admin to grant that connection between your Microsoft Environment and the OTD environment.  

 

Tip:  One habit I've gotten into is to have an incognito browser open just for my O365 admin activities - while my regular browser is for my non-admin activities.

 

Make sense?

Message 3 of 8
LKVer
Valued Contributor

Re: OTD service account - needs admin approval

Hi Adam

 

Thanks for your reply. The thing is that customer doesn't want to use that global admin account to do the integration. They would rather limit necessary privilates to bare minimum and use a service account that will have access to "room resource" accounts created for endpoints.

 

This is a copy-paste from Poly docs about service account integration with Exchange Online.

 

This approach will request read access to only the mailboxes that a single user account has access to. That is defined by creating a dedicated service account in the tenant which is then delegating rights for the desired mailboxes in the tenant. The app will use this service account when connecting to Exchange Online and thus be limited to reading calendar data in only the mailboxes accessible to that account. The following request will appear after selecting the Connect with Service Account option under the Office 365 Calendar Integration section of the OTD administration portal and providing the credentials of the desired service account.

 

So I wonder what steps should be taken to allow that account to accept those permissions (and not making it an admin-level account)? Am I missing something?

Message 4 of 8
Adam in DC
Valued Contributor

Re: OTD service account - needs admin approval

The Global Admin account is merely for linking and access the OTD Portal.  Once that's done - then you use the service accounts to configure the endpoints, after you're in.  

 

You can't use the service accounts for linking the portal to 365/Azure - especially if they're not admin - and you won't want them to be admin.  

 

Two different types of accounts.  Hope this clarifies.  

Message 5 of 8
LKVer
Valued Contributor

Re: OTD service account - needs admin approval

Well that is a surprise and I don't think this is mentioned anywhere. If you look at official Poly documentation below, there is not a single word that service account should have any privilages like that:

https://otd.plcm.vc/support/docs/calendars/office365-connect-with-service-account 

 

So that's why I'm still not sure if what you said is correct and Poly documentation is severly lacking crucial info or is it a strange case of this customer.

Message 6 of 8
jschertz
Polycom Employee

Re: OTD service account - needs admin approval

This article explains how you can approve that application request in a tenant where users cannot approve app requests themselves:

http://blog.schertz.name/2020/04/enterprise-application-consent-requests-in-azure/

 

In addition I would recommend using the "As an Application" approach instead of "As a Service Account".  This article explains in detail what the current best practices are for the Poly OTD Service:

http://blog.schertz.name/2020/09/poly-one-touch-dial-service-with-exchange-online/

 

-----------
Jeff Schertz - Principal Microsoft Solutions Architect [Blog]

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.

View solution in original post

Message 7 of 8
LKVer
Valued Contributor

Re: OTD service account - needs admin approval

Hi Jeff

 

I was waiting for that answer Although I know your posts about OTD and RealConnect (who doesn't), but somehow I've missed that one about consents. It's just perfect. Thanks.

 

Lukasz

Message 8 of 8