Skip to main content

Calendar Sync: Data security and Options to Restrict Data Access

  • Updated

Authentication and authorization with Azure

After completing the Calendar Sync setup, an administrator must grant permissions to the deskbird Calendar Sync application in Entra:

This step establishes a secure connection between deskbird and your Microsoft 365 tenant.

Security measures

We apply multiple layers of protection to safeguard calendar data:

  • Certificate security
    deskbird stores authentication certificates securely in Google Cloud Secret Manager. They are never saved in any database or backup and are protected using least-privilege access control via Google Cloud IAM.

  • Revoking access
    If the deskbird integration is no longer needed or there’s a security concern, access can be revoked anytime via the Entra admin portal.

  • Limited data access
    If user calendar access is enabled (optional), deskbird applies strict filtering:

    • Full room calendar data is synced.

    • User calendars are accessed only when specific events are linked to room bookings. All other user events are ignored and never stored.

Restrict access with an Application Access Policy

By default, granting consent to deskbird’s Calendar Sync app provides access to all calendars in your Microsoft 365 tenant via Microsoft Graph API.

To limit access, we recommend setting up an Application Access Policy with a defined Management Scope.

See our step-by-step guide here:
How to control access to Calendars using an Application Access Policy

You can choose between two approaches:

Option 1: Limit to selected room and user calendars ✅

Ideal for most use cases — no functional limitations in deskbird.

Option 2: Limit to selected room calendars only 🚫

User calendar access is blocked. This results in a few limitations:

  • Events created or updated in Outlook user calendars cannot be edited in deskbird.

  • Events created or updated in deskbird cannot be updated in Outlook by the user. This is because the room becomes the event organizer, and edits must be made via the room’s calendar in Outlook.

Restrict visibility of room data using ExchangePowerShell

You can globally limit visibility of event details in room calendars using the Set-CalendarProcessing command in ExchangePowerShell. For example:

Set-CalendarProcessing -Identity "RoomName" -AddOrganizerToSubject $true -DeleteSubject $true -DeleteComments $true

More info: Microsoft Docs – Set-CalendarProcessing

This setting applies to all users viewing the room calendar — including deskbird. When configured:

  • Only the name of the user who booked the room is shown.

  • The meeting title and description are hidden.

  • The event becomes read-only in deskbird.

 

Related articles