Microsoft Custom Applications (GCC High)

13 min

this feature enables teams to connect their azure custom applications https //learn microsoft com/en us/azure/azure resource manager/managed applications/tutorial create managed app with custom provider?tabs=azurecli interactive , including gcc high and dod tenants this enhanced control lets your team define the permissions granted, enabling better compliance and security tailored to your organization's needs permissions & access this option is available on the foundations, legacy plus, plus, and enterprise plans foundations legacy plus plus enterprise ✅ ✅ ✅ ✅ if you're also setting up sso, create a new app registration rather than using the existing one ashby's microsoft 365 custom app integration supports a single microsoft tenant only if your organization operates across multiple tenants (for example, a parent company and portcos with separate tenants), the custom app can only connect to the tenant where it is registered and won't be able to support mailbox or calendar access across those separate tenants setting up your m365 custom application log into azure go to your azure portal and click manage microsoft entra id create a new app registration navigate to app registrations and click new registration name your application and click register configure authentication in the new app, click authentication , then add a platform select web in the redirect uris field, enter the following https //app ashbyhq com/api/oauth/authorize/client credentials/inbound click save at the bottom of the page return to authentication > add a platform click add uri again and enter https //app ashbyhq com/api/oauth/authorize/inbound click save at the bottom of the page set api permissions go to api permissions and click add a permission select microsoft graph → application permissions add the following permissions based on your needs calendar access calendars readwrite and mailboxsettings read user sync user read all email sync mail readwrite and mail send once all permissions are selected, click add permissions create a client secret navigate to certificates & secrets and click new client secret enter a title for the secret and select your desired expiration period you are responsible for rotating the secret before it expires to prevent the ashby ↔ m365 integration from breaking click add and copy the value (not the secret id or label) of the new secret retrieve your application id go to the overview section of your app registration in azure copy the application id configuring in ashby reach out to your ashby customer success manager to confirm that custom application setup is enabled for your account visit advanced settings log into ashby and go to the microsoft 365 advanced settings page https //app ashbyhq com/admin/integrations/marketplace/microsoft 365/advanced input credentials and configure tenant type paste the application id and client secret into the corresponding fields configure tenant type if your tenant resides on a gcc server, select the appropriate option from the dropdown menu none (default) gcc dod authorize the application navigate to the general settings tab and click connect to microsoft 365 under application wide authorization follow the prompts to authorize the connection, ensuring only the permissions you configured are granted to complete your authorization, click the general settings tab, then under application wide authorization , click connect to microsoft 365 when prompted, verify that you are connecting to your application and only granting the permissions you set up feature limitations gcc high environments have some feature limitations, but they do not affect the core offerings used at ashby (generally online cloud based email through exchange and outlook, and calendaring through outlook and microsoft teams video conferencing) there are some limitations on audio and phone based conferencing in teams — these also apply to teams meetings created through ashby in these environments you can read more about the potential limitations and differences across government plans in the office 365 us government service description https //learn microsoft com/en us/office365/servicedescriptions/office 365 platform service description/office 365 us government/office 365 us government organizations using gcc high cannot have both a gcc high and a regular microsoft integration they also cannot have users from a gcc high domain and a regular m365 domain within the account this is because the microsoft government api endpoints use a different url — this includes the initial oauth endpoint the "sign in with microsoft" sso login option does not work for organizations using gcc high faqs what permissions do i need for calendar and email access? for tenant wide calendar access calendars readwrite and mailboxsettings read recommend application scopes for email sync mail readwrite and mail send recommend delegate scopes for user sync user read all recommend application scopes how do i rotate a client secret? go to certificates & secrets in azure create a new secret before the current one expires update the secret value in ashby's microsoft 365 advanced settings best practice set a calendar event or recurring task with your it team to ensure this happens before the secret expires can i use only delegated scopes? yes, but there are tradeoffs you also need to securely share your tenant id with your ashby point of contact (poc) so we can store this value in our database tradeoffs include higher maintenance and onboarding burden delegated access to calendars meaningfully slows down interview scheduling for talent teams what happens if my client secret expires? the ashby ↔ m365 integration stops working you must create and update a new secret to restore functionality can i use this integration with gcc high or dod tenants? yes, the integration supports gcc high and dod tenants ensure you select the correct tenant type in advanced settings how can i set an azure custom application to only show free/busy calendar availability? microsoft supports this through exchangepowershell see the set mailboxcalendarfolder guide https //learn microsoft com/en us/powershell/module/exchange/set mailboxcalendarfolder?view=exchange ps for more details how can i limit email access to only a subset of users? microsoft supports this through app roles see the app roles guide https //learn microsoft com/en us/entra/external id/customers/how to use app roles customers for more details best practice is to create one role with more permissive access (e g , for recruiter), and address all other users with application wide permissions when setting up app roles, the values to be input should be the relevant scopes for the role as comma separated values the full list of values, for example, would be calendars readwrite,mailboxsettings read,user read all,mail readwrite,mail send what login options are available once this integration is enabled? once your custom application setup is complete, you can use either magic links or sso to log in to ashby microsoft sso is not compatible with gcc high my interviewers are receiving a lot of rescheduling notifications from microsoft when interviewers are being switched around — what can i do to resolve this? these notifications are handled by microsoft and there isn't a way to change the configured settings in ashby you can check the following areas in the limited admin or user settings to see if further adjustments can be made to reduce the number of notifications being sent navigate to room/resource mailboxes to adjust auto accept behavior via the set calendarprocessing cmdlet at a user level, navigate to outlook web > calendar > settings > events & invitations