Skip to main content

Office 365 Calendar Integration: Technical FAQ

  • SmartRecruit


The benefits of the SmartRecruiters O365 Calendar integration

SmartRecruiters O365 calendar integration allows recruiting teams to drastically improve the efficiency of one of the most time-consuming and complex workflows in recruiting: interview scheduling. Our calendar integration is used by almost 400 enterprises around the world to save dozens of hours a week for recruiting coordinators, recruiters, and interviewers.

Our integration has two key features that help achieve this efficiency:

  • looking up availability of colleagues (interviewers) for a particular time slot,
  • booking rooms/video projectors and other equipment necessary for interviews straight from SmartRecruiters.

Those two tasks, when done without an integration, require coordinators to switch between multiple tabs and make scheduling panel interviews, and especially rescheduling/updating them a very time-consuming task.

NOTE: SmartRecruiters always show "busy" when displaying calendar availability. The Graph API which provisions 0365 Calendar visibility supersedes settings between users by prohibiting visibility of events proxied by user “A” as user “B”, as referenced below.

Screen Shot 2019-10-23 at 3.58.47 PM.pngIn addition to the above scope, SmartRecruiters uses our central messaging system to pass and display interviewer responses to interview invites in our system. This is a huge time saver for coordinators/recruiters, as they can have a holistic view of all responses for a certain interview rather than collecting responses one by one in their emails. Below is an example of a full-day interview panel displaying interviewer responses in SmartRecruiters.

Screen Shot 2019-10-23 at 3.59.25 PM.png

What permissions does SmartRecruiters need in order for O365 calendar integration to work?

We need two application permissions for “Microsoft Graph” API to operate:

  • Read and write calendars in all mailboxes - to access Calendar API (create, update, delete, list events). We need “write” type permission to create, update and cancel events in users’ calendars.
  • Read directory data - to access Directory API (list calendar resources, i.e. rooms, projectors, etc.). Resources are returned in Graph API as users, so we need to list users to find resources.

Which APIs does SmartRecruiters call and what data do you receive as a result of those calls?

SmartRecruiters uses Microsoft Graph API to integrate with O365 calendars. Particularly, application use the following three APIs. SmartRecruiters uses minimum data to operate. List below shows all data types that our application may receive but use only minimum data required for certain actions:

Calendar API:

Business Operation API we call: Data we use:
Get Event attendees
(status, emailAddress)
List Events start, end, showAs
Create Event id, iCalUId
Update Event id, iCalUId
Cancel Event -
Accept Event -
Decline Event -
Tentatively Accept Event -
List User's Calendar id, name
Get Calendar id, name

Change notifications (aka Subscriptions, aka webhooks):

Business Operation API we call: Data we use:
Create Subscription id, changeTypes, notificationUrl, expirationDateTime
Delete Subscription id
Get Subscription id
Cancel Event id, expirationDateTime


Business Operation API we call: Data we use:
List Users (to fetch resources like rooms, projectors, etc.) givenname, surname, displayname, mail

NOTE: SmartRecruiters do not use or store any other Calendar API data.

Which data transfer methods/protocols does SmartRecruiters use?

We call Microsoft Graph API using Java Client library provided by Microsoft. They wrap all calls into HTTP requests using standard methods (GET, PUT, POST, DELETE) and REST approach. 

Do you store any calendar data you receive via API?

We do not store any data related to events or busy periods in the calendars of the users that we receive by calling Microsoft Graph API. The data we store is:

  • IDs of calendar events that we create
  • List of calendar resources, containing:
    • Resource ID
    • Resource name
  • ID and name of the calendar user want to create events in
  • ID of subscription (webhook) we create

How can we control SR access to our calendars (how can we disable integration)?

Our access to Microsoft Graph API can be immediately disabled at any time by using the following two methods:

  • By revoking permissions in the Azure portal
  • By invalidating credentials for SR application in the Azure portal
  • By removing integration settings from SR system on Admin pages

NOTE: by doing this, scheduling interviews will stop working and SR assistance will be necessary. 

How can I monitor what the SmartRecruiters app does once it is enabled?

Monitoring can be achieved using “Overview” or “Audit logs” tabs in the Azure portal for SR integration application:

Screen Shot 2019-10-23 at 4.00.40 PM.png

What does SmartRecruiters do to ensure system-wide information security?

SmartRecruiters takes information security and privacy very seriously. As a vendor of some of the world’s largest, high growth enterprise organizations, it is critical that we maintain a standard far above that of other competitors.

As a 100% cloud-based system, SmartRecruiters is entirely hosted by Amazon Web Services (AWS) and we rely on AWS KMS encryption. We selected AWS for its proven reliability and security capabilities, that are designed to meet the most rigorous and robust privacy and security needs of some of the world’s most security-sensitive organizations. On behalf of SmartRecruiters, Amazon holds ISO 27001, SOC-2 and NIST certifications.

Independent of Amazon, SmartRecruiters is Privacy Shield self-certified and has passed both third party and customer penetration tests. Separately, we are ISO27001 certified and successfully recertified. We are in the process of obtaining SOC-2 compliance.

Internally, we've created stringent logs, separation of duties so that only specific employees can access certain areas of our product’s data and software, extensive monitoring that tracks all traffic in our product, among other best practices to protect our customer's data.

SmartRecruiters follows internal SDLC guidelines that incorporate mandatory code reviews, automated testing, and verification on pre-prod environments as a part of the code deployment process. We also have a strict production environment access control. Getting access to both code and infrastructure is limited, fully audited and requires formal approval.

Additionally, SmartRecruiters has a security team dedicated to protecting our systems against cyber-attacks and security threats. We believe we offer one of the most comprehensive data security and privacy policies in this space so our customers have the assurances they need to know their data is secure.