This article gives administrators a high-level picture of how RICOH Spaces integrates with Microsoft 365 — the authentication standard we use, the enterprise application registrations we install in your tenant, and the API surface we read from. For the detailed permissions list and how to scope it, see Microsoft 365 Required Permissions.
How RICOH Spaces connects to Microsoft 365
RICOH Spaces uses three Microsoft technologies to integrate with your tenant:
OAuth 2.0 for sign-in. Users sign in with their Microsoft work account; we never see, store, or transmit their password.
Microsoft Graph API for everything we read and write — meeting room calendars, user profiles, Entra ID group membership, and place metadata.
Tenant-installed enterprise application registrations which hold the permissions your administrator has consented to.
All interactions with your tenant are scoped to the permissions you have granted, and every call is auditable from your Microsoft 365 admin centre.
1) Signing in
Users sign in to RICOH Spaces via their Microsoft account at the regional URL for their tenant:
Region | URL |
Europe | |
Asia-Pacific | |
Americas |
When a user clicks Sign in with Microsoft, the standard Microsoft sign-in screen handles authentication.
This uses the latest Microsoft authentication libraries on Microsoft's own sign-in page, ensuring the user is an active member of your Microsoft Entra ID tenant. No additional integration work is required from your side.
Note: If your organisation has third-party application sign-ins disabled by default, users will see an "approval required" message when first signing in. An administrator can either approve the request inline, or pre-approve RICOH Spaces ahead of time from the Microsoft 365 admin centre.
The diagram below shows the Microsoft authentication token flow:
After Microsoft has authenticated the user, RICOH Spaces validates the user's email domain, identifies their RICOH Spaces tenant, and issues a JSON Web Token that is bound to that customer tenant and accompanies every subsequent request. The Microsoft library re-checks the user's session on every page load, so revoking access in Entra ID immediately stops them being able to use RICOH Spaces.
2) Enterprise application registrations
RICOH Spaces uses two Microsoft Entra ID enterprise application registrations — one for our web, Teams, and Outlook clients, and one for our native mobile applications. Both are installed in your tenant when an administrator first connects RICOH Spaces.
Application | Microsoft Entra ID Application (client) ID |
Web, Teams & Outlook |
|
Native mobile (iOS & Android) |
|
Note on consolidation: Today these are two separate enterprise applications because they use different authentication flows on the Microsoft side. We are planning to consolidate them into a single registration in a future release; until then, both will appear under Enterprise applications in your Microsoft 365 admin centre.
You can find both applications in the Microsoft 365 admin centre under Identity → Applications → Enterprise applications, where you can review the permissions each has been granted, see recent sign-ins, and revoke access if needed.
If you'd like to pre-create the enterprise applications (so users can sign in without an admin consent prompt mid-flow), you can do so by following the EU or AU admin-consent link in Connect Microsoft 365 Calendars.
For the complete list of permissions the applications request — what each does, why we use it, and how to scope it — see Microsoft 365 Required Permissions.
3) Microsoft Graph
All of RICOH Spaces' interactions with your Microsoft 365 tenant happen via the Microsoft Graph API. Graph is Microsoft's unified API for Microsoft 365 data and is the modern, supported, and audited path for third-party applications.
We do not use the deprecated Exchange Web Services (EWS) API. All calendar reads and writes, group membership lookups, and place metadata queries go through Graph endpoints under https://graph.microsoft.com.
4) Where to go next
For deeper coverage of specific topics:
Microsoft 365 Required Permissions — the authoritative permissions reference, including how to scope mailbox access using Application Access Policies or RBAC for Applications in Exchange Online.
Connect Microsoft 365 Calendars — the two-step process to integrate your tenant with RICOH Spaces.
Microsoft 365 Security Information — what we read from your room mailboxes, how to restrict it, and how to disconnect.
Microsoft AD Groups Syncing — how to use your Entra ID groups inside RICOH Spaces.
Private Meetings: Outlook Settings for Room Calendars — Exchange settings to keep private meetings private.