Microsoft Custom Applications (GCC High)

this feature enables teams to connect their https //learn microsoft com/en us/azure/azure resource manager/managed applications/tutorial create managed app with custom provider?tabs=azurecli interactive , including gcc high and dod tenants this enhanced control lets your team define the permissions granted, enabling better compliance and security tailored to your organization’s needs this option is available on the foundations, legacy plus, plus and enterprise plans foundations legacy plus plus enterprise ✅ ✅ ✅ ✅ note if you’re also setting up sso, please create a new app registration, rather than using the existing one setting up your m365 custom application log into azure go to your azure portal and click on manage microsoft entra id create a new app registration navigate to app registrations and click new registration name your application and click register configure authentication in the new app, click authentication, then add a platform select web in the redirect uris field, enter the following https //app ashbyhq com/api/oauth/authorize/client credentials/inbound click save at the bottom of the page return to authentication>add a platform click add uri again and enter https //app ashbyhq com/api/oauth/authorize/inbound click save at the bottom of the page set api permissions go to api permissions and click add a permission select microsoft graph → application permissions add the following permissions based on your needs calendar access calendars readwrite and mailboxsettings read user sync user read all email sync mail readwrite and mail send once all permissions are selected, click add permissions create a client secret navigate to certificates & secrets and click new client secret enter a title for the secret and select your desired expiration period note you are responsible for rotating the secret before it expires to prevent the ashby ↔ m365 integration from breaking click add and copy the value (not the secret id or label) of the new secret retrieve your application id go to the overview section of your app registration in azure copy the application id configuring in ashby reach out to your ashby customer success manager to confirm that custom application setup is enabled for your account visit advanced settings log into ashby and go to the https //app ashbyhq com/admin/integrations/marketplace/microsoft 365/advanced input credentials and configure tenant type paste the application id and client secret into the corresponding fields configure tenant type if your tenant resides on a gcc server, select the appropriate option from the dropdown menu none (default) gcc dod authorize the application navigate to the general settings tab and click connect to microsoft 365 under application wide authorization follow the prompts to authorize the connection, ensuring only the permissions you configured are granted to complete your authorization, click on the general settings tab, and then under application wide authorization, click connect to microsoft 365 when prompted, verify that you are connecting to your application only granting the permissions you set up on your app feature limitations gcc high environments do have some feature limitations but they do not affect the core offerings we use at ashby (generally online cloud based email through exchange and outlook and calendaring through outlook, microsoft teams video conferencing) there are some limitations on audio and phone based conferencing in teams these would also apply to teams meetings created through ashby in these environments you can read more on the potential limitations and the difference across government plans https //learn microsoft com/en us/office365/servicedescriptions/office 365 platform service description/office 365 us government/office 365 us government organizations using gcc high cannot have both a gcc high and a regular microsoft integration they also cannot have users from a gcc high domain and a regular m365 domain within the account this is because the microsoft government api endpoints use a different url this includes the initial oauth endpoint faq what permissions do i need for calendar and email access? for tenant wide calendar access calendars readwrite and mailboxsettings read recommend application scopes for email sync mail readwrite and mail send recommend delegate scopes for user sync user read all recommend application scopes how do i rotate a client secret? go to certificates & secrets in azure create a new secret before the current one expires update the secret value in ashby’s microsoft 365 advanced settings best practice we recommend setting a calendar event/recurring task with your it team to ensure this happens before the secret expires c an i use only delegated scopes? yes, but there are tradeoffs you’ll also need to securely share your tenant id with your ashby poc so we can store this value in our database tradeoffs include higher maintenance/onboarding burden delegated access to calendars meaningfully slows down interview scheduling for talent teams what happens if my client secret expires? the ashby ↔ m365 integration will stop working you must create and update a new secret to restore functionality can i use this integration with gcc high or dod tenants? yes, the integration supports gcc high and dod tenants ensure you select the correct tenant type in the advanced settings how can i set an azure custom application to only show free/busy calendar availability microsoft supports this through exchangepowershell https //learn microsoft com/en us/powershell/module/exchange/set mailboxcalendarfolder?view=exchange ps for more details how can i limit email access to only a subset of users? microsoft supports this through app roles https //learn microsoft com/en us/entra/external id/customers/how to use app roles customers for more details notes best practice is to create one role with more permissive access (e g , for recruiter), and address all other users with application wide permissions when setting up app roles, the ‘values’ to be input should be the relevant scopes for the role as comma separated values the full list of values, for example, would be calendars readwrite,mailboxsettings read,user read all,mail readwrite,mail send what login options are available once this integration is enabled? once your custom application setup is complete, you can use either magic links or set up sso for logging in to ashby m y interviewers are receiving a lot of rescheduling notifications from microsoft when interviewers are being switched around what can i do to resolve this? these notifications are handled by microsoft and there isn’t a way to amend the configured settings in ashby you could check the following areas in the limited admin or user settings to see if further adjustments can be made to reduce the number of notifications being sent navigate to room/resource mailboxes to adjust auto accept behavior via cmdlet set calendarprocessing at a user level, navigate to outlook web > calendar > settings > events & invitations