Azure Configuration

Dayforce Implementation Guide
Version
R2025.1.1
Azure Configuration

This section covers frequently asked questions about configuring the Outlook calendar integration in the Azure Active Directory:

  1. What do clients need to do to implement the Outlook integration feature?
  2. What level of rights are required for Dayforce to read and post information to Outlook using the Microsoft Graph API?
  3. Does Dayforce receive or fetch information from Outlook through the Microsoft Graph API?
  4. Can an IT administrator revoke access to the Dayforce TAFW - Outlook integration?
  5. Do the client ID, tenant ID and secret value credentials expire?
  6. Is a reminder sent out to notify users that the secret value credential is expiring?
  7. Can clients with Active Directory On-Premise and/or Microsoft Exchange On-Premise configure an integration between Dayforce and Outlook?
  8. Can clients create integrations with multiple Azure Active Directories?

Answers

  1. What do clients need to do to implement the Outlook integration feature?
    1. Clients need to perform the following steps in the Azure Active Directory and in Dayforce:
      1. Note: It’s recommended that the same client administrator that handles data in the Azure Active Directory also configures the feature in Dayforce. It’s the client’s responsibility to make sure that the Azure Active Directory is correctly set up to integrate with Dayforce.
      2. Create a new app registration in the Azure Active Directory.
      3. Find and copy the client ID, tenant ID, and secret value credentials in the app registration, which you’ll add in Dayforce later:
        1. When configuring the new app registration, you can find the client ID and tenant ID credentials in the Overview screen, in the Essentials panel. Look for the Application (client) ID and Directory (tenant) ID values.
        2. For the secret value, click Add a certificate or secret. In the Certificates & secrets screen, click New client secret. Configure its details (the description and expiry) and click Add. The client secret is added to the Certificates & secrets screen.
        3. Copy the text under Value (not the Secret ID text). The text in the Value section is the secret value that you’ll copy to Dayforce.
        4. Important: After registration, the secret value becomes hidden. You should copy and save the secret value before you complete the app registration.
      4. Make sure the Microsoft Azure Active Directory has an application registered to use Microsoft Graph API services.
      5. In Dayforce, create an external integration in System Admin > External Integrations:
        1. Select the Microsoft external integration group.
        2. Select the Azure Active Directory provider.
        3. Create an effective period. You don’t need to add an end date in the Effective To field.
        4. Enter the client ID, tenant ID, and secret value you copied from the Azure Active Directory in the Tokens section.
        5. Click Save.
      6. Enable the calendar appointment functionality in Time Away From Work > TAFW - Calendar Integration.
  3. What level of rights are required for Dayforce to read and post information to Outlook using the Microsoft Graph API?
    • Dayforce connects to the Azure Active Directory through an app registration.
    • There are three permissions that are granted to the Azure Active Directory application: Calendars.ReadWrite, User.Read.All, and MailboxSettings.Read:
      • Calendars.ReadWrite: Allows the app to create, read, update, and delete events of all calendars without a signed-in user.
      • User.Read.All: Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user.
      • MailboxSettings.Read: Allows the app to read user’s mailbox settings without a signed-in user. Doesn’t include a permission to send mail.
  5. Does Dayforce receive or fetch information from Outlook through the Microsoft Graph API?
    1. Dayforce fetches user and event information from Outlook to create, update, and delete Outlook appointments.
  7. Can an IT administrator revoke access to the Dayforce TAFW - Outlook integration?
    1. Yes, the access can be revoked in the Azure Active Directory for the app registration. You can revoke access using one of the following methods:
      • Delete the app registration.
      • Remove the permissions set up for the Microsoft Graph API.
    2. Alternatively, a client administrator with access to Dayforce can disable the Time Away From Work > TAFW - Calendar Integration feature.
  9. Do the client ID, tenant ID and secret value credentials expire?
    1. There is an expiry date on the secret value credential. Make sure you check the expiry date of your secret value in your app registration in the Azure Active Directory. Your client administrator is responsible for ensuring the secret value hasn’t expired and for renewing, updating, and creating new secret values as needed.
    2. The client ID and tenant ID values don’t expire.
  11. Is a reminder sent out to notify users that the secret value credential is expiring?
    1. No. Please check with your client administrator to ensure the secret value entered System Admin > External Integrations is up to date.
  13. Can clients with Active Directory On-Premise and/or Microsoft Exchange On-Premise configure an integration between Dayforce and Outlook?
    1. No. The Dayforce Time Away From Work - Outlook integration uses the recommended Microsoft Graph API, which doesn’t support on-premises Active Directory or Microsoft Exchange.
  15. Can clients create integrations with multiple Azure Active Directories?
    1. No, this isn’t supported.