Instruction
Beheer > Integraties > Outlook

The Outlook integration needs configuration on two sides: an app registration in Azure / Entra ID (the customer tenant) and the integration itself in i-Reserve. Because the Redirect URI contains i-Reserve's integration id, you start in i-Reserve by creating the integration to obtain that URL, then do the Azure registration, and finally complete the i-Reserve integration. This article follows that order.

1. Start in i-Reserve: create the integration

The Redirect URI you will need in Azure contains i-Reserve's integration id (the {int_id} part). That id only exists once the integration has been created, so start here:

  1. Go to Administration → Integrations and add an Outlook integration.
  2. Note the Redirect URL that i-Reserve shows (typically {base_url}/integrations/redirect/{int_id}). You need it in step 2.
  3. Skip the other fields for now — you fill them in step 3, after the Azure registration is done.

2. On the Outlook / Azure side

2.1 App registration

  1. Azure Portal → App registrationsNew registration.
  2. Register as single tenant (accounts in this organisation only).
  3. Note the Application (client) ID and the Directory (tenant) ID.
  4. Certificates & secrets → create a client secret and note the value immediately (it is not readable later). Only secret-based auth is used, no certificate.
  5. Set the Redirect URI (type Web) to the Redirect URL you noted in step 1 ({base_url}/integrations/redirect/{int_id}).

2.2 Permissions per mode

Under API permissions → Microsoft Graph add the right permission for the mode you use:

ModePermissionNotes
DelegatedDelegatedCalendars.ReadWriteConsent is given by the user who signs in. Scope: openid offline_access Calendars.ReadWrite (offline_access yields the refresh token).
ApplicationApplicationCalendars.ReadWriteAdmin consent required (“Grant admin consent”). Without it Graph returns 403 on users/{upn}/….
Optional (recommended)ApplicationPlace.Read.AllNot required for the sync itself, but recommended: it lets you easily retrieve the room mailbox UPNs instead of looking them up by hand. Requires admin consent.

One app registration can carry multiple permission types, so the same app can serve both modes. Not required: User.Read, Calendars.ReadWrite.Shared.

2.3 Least privilege (recommended for app-only)

By default an app with application Calendars.ReadWrite can read/write every mailbox in the tenant. Restrict it with an ApplicationAccessPolicy (Exchange Online PowerShell) that pins the app to a security group containing only the room mailboxes:

New-ApplicationAccessPolicy -AppId <client-id> `
  -PolicyScopeGroupId zalen-rooms@klant.nl `
  -AccessRight RestrictAccess `
  -Description "i-Reserve room sync: room mailboxes only"

2.4 Mailboxes / rooms

  • Delegated: at least one licensed user with a mailbox to sign in with. That user's default calendar syncs.
  • Application: create the rooms via Microsoft 365 admin → Resources → Rooms & equipment. A resource mailbox is normally Unlicensed — that is correct. Note each room's UPN (e.g. ZaalA@klant.onmicrosoft.com) and add them to the security group from step 2.3.

3. On the i-Reserve side

Open the Outlook integration you created in step 1 (Administration → Integrations). It has an authentication screen and a configuration screen.

3.1 Authentication screen (Azure credentials)

FieldWhat to enter
Tenant IDThe directory (tenant) ID of the M365 tenant.
Client IDThe application (client) ID of the app registration.
Client secretThe generated client secret value.
Return urlThe redirect URI. Use exactly the value i-Reserve shows and register that same URI in the Azure app.

Then run the two buttons in order:

  1. Step 1: consent — opens the Microsoft consent screen. Sign in with the dedicated user (delegated) or grant admin consent (application) and approve the requested calendar permission.
  2. Step 2: connect to Outlook — exchanges the consent for the stored tokens (delegated: access + refresh; application: app-only token). After this the connection is live.

3.2 Configuration screen — general behaviour

FieldWhat to enter
Field for i-Reserve booking idThe booking field that stores the Outlook event id (the link between booking and calendar event). Default external_id.
TemplateThe template used to build the event subject/body (outbound).
Create Teams linkYes/No — create a Teams online meeting for the event.
Field for Teams linkBooking field to store the Teams join URL (if the above is Yes).
Use customer dataYes/No — add the customer as attendee / use customer details on the event.
Create calendar entry on statusThe booking status(es) on which an event is created in Outlook (outbound, delegated).
Delete on statusThe booking status(es) on which the Outlook event is deleted.
E-mail on problemsE-mail address notified on integration problems.

3.3 Configuration screen — inbound

FieldWhat to enter
Authentication modeDelegated (one user) or Application (per room, app-only). This switches the mapping field below.
Room ↔ object (application)Per row: the room mailbox UPN and the i-Reserve object it maps to. One row per room; use “Add room”.
Inbound object (delegated)The single i-Reserve object that events from the user's calendar are booked on.
Inbound statusStatus used to create a new inbound booking.
Inbound status with customerAlternative status when the organiser matched a known customer.
Lock statuses (update)Bookings in these statuses are not updated by inbound.
Lock statuses (delete)Bookings in these statuses are not cancelled by inbound.
Allow booking updateYes/No — let inbound changes update existing bookings.
Ignore validation errors on updateYes/No — apply inbound updates even if validation would normally reject them.

3.4 Activate

Save and set the integration to active. Confirm the connection on the test/diagnostics screen and verify a Graph subscription (webhook) was created (delegated: one; application: one per room).

In delegated mode use a separate, dedicated Microsoft 365 service account (e.g. ireserve-sync@klant.onmicrosoft.com), not a personal employee account. Reason: auditability, continuity (does not break when an employee leaves) and least privilege.
In application mode do not forget admin consent: without it Graph returns 403 on users/{upn}/...