• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

Hi.

 

I'm currently with a problem where after logging in to OTD portal with service account, I want to integrate OTD with O365 via that Service Account.

 

According to info provided here:

https://rc-docs.plcm.vc/docs/permissions#connect-with-service-account 

 

There should be a window asking to accept those permissions. However in this case I'm only getting:

Need admin approval

Polycom One Touch Dial Service needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

 

How to grant that one account required permissions? Or show that windows? I've even been trying to do it somehow via Azure AD, but no luck. Customer really wants to keep it secure and limit data access for that account. So integration as an Application is out of scope for now.

 

Any help is appreciated

 

Lukasz

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended

This article explains how you can approve that application request in a tenant where users cannot approve app requests themselves:

http://blog.schertz.name/2020/04/enterprise-application-consent-requests-in-azure/

 

In addition I would recommend using the "As an Application" approach instead of "As a Service Account".  This article explains in detail what the current best practices are for the Poly OTD Service:

http://blog.schertz.name/2020/09/poly-one-touch-dial-service-with-exchange-online/

 

View solution in original post

7 REPLIES 7
HP Recommended

Just to mention one more thing. User consent setting is turned on according to this info:

https://docs.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide#turning-u... 

HP Recommended

If I'm interpreting your question correctly, I suspect the issue is that you need to be an O365 Admin to grant that connection between your Microsoft Environment and the OTD environment.  

 

Tip:  One habit I've gotten into is to have an incognito browser open just for my O365 admin activities - while my regular browser is for my non-admin activities.

 

Make sense?

HP Recommended

Hi Adam

 

Thanks for your reply. The thing is that customer doesn't want to use that global admin account to do the integration. They would rather limit necessary privilates to bare minimum and use a service account that will have access to "room resource" accounts created for endpoints.

 

This is a copy-paste from Poly docs about service account integration with Exchange Online.

 

This approach will request read access to only the mailboxes that a single user account has access to. That is defined by creating a dedicated service account in the tenant which is then delegating rights for the desired mailboxes in the tenant. The app will use this service account when connecting to Exchange Online and thus be limited to reading calendar data in only the mailboxes accessible to that account. The following request will appear after selecting the Connect with Service Account option under the Office 365 Calendar Integration section of the OTD administration portal and providing the credentials of the desired service account.

 

So I wonder what steps should be taken to allow that account to accept those permissions (and not making it an admin-level account)? Am I missing something?

HP Recommended

The Global Admin account is merely for linking and access the OTD Portal.  Once that's done - then you use the service accounts to configure the endpoints, after you're in.  

 

You can't use the service accounts for linking the portal to 365/Azure - especially if they're not admin - and you won't want them to be admin.  

 

Two different types of accounts.  Hope this clarifies.  

HP Recommended

Well that is a surprise and I don't think this is mentioned anywhere. If you look at official Poly documentation below, there is not a single word that service account should have any privilages like that:

https://otd.plcm.vc/support/docs/calendars/office365-connect-with-service-account 

 

So that's why I'm still not sure if what you said is correct and Poly documentation is severly lacking crucial info or is it a strange case of this customer.

HP Recommended

This article explains how you can approve that application request in a tenant where users cannot approve app requests themselves:

http://blog.schertz.name/2020/04/enterprise-application-consent-requests-in-azure/

 

In addition I would recommend using the "As an Application" approach instead of "As a Service Account".  This article explains in detail what the current best practices are for the Poly OTD Service:

http://blog.schertz.name/2020/09/poly-one-touch-dial-service-with-exchange-online/

 

HP Recommended

Hi Jeff

 

I was waiting for that answer 🙂 Although I know your posts about OTD and RealConnect (who doesn't), but somehow I've missed that one about consents. It's just perfect. Thanks.

 

Lukasz

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.