Microsoft 365 - GCC High (Service User) Installation

Last updated: May 13, 2026

ModernLoop's Microsoft 365 - GCC High/Outlook Integration enables seamless scheduling coordination for interview teams and candidates. This integration allows ModernLoop to:

  • Assign interviewers from users on your workspace.

  • Identify the optimal interview schedule.

  • Analyze interviewer conflicts.

  • Read and write calendar resources, such as rooms.

  • Send emails to candidates.

In addition, ModernLoop's Microsoft 365 Service User Integration allows your company to restrict the privacy of specific calendars to the ModernLoop application via permissions usually reserved for User-to-User interactions (i.e. mark individual interviewers calendars as Free-busy, Title-only, or full read access)

Prerequisites

  • Administrator Permissions:

    You must have administrator permissions for your company's Microsoft workspace.

  • Azure Gov Cloud Access:

    You must be able to log in to Azure Gov Cloud and create an enterprise application.

  • ModernLoop Platform Access:

    Ensure you have access to the ModernLoop platform. If you do not, please contact your ModernLoop Customer Success Manager (CSM).

If the Microsoft account used for the integration is deprecated, the integration will stop functioning. We recommend creating a service account specifically for this task to ensure continuity.

List of User-level Permissions

ModernLoop requires the following Service User permissions to function properly:

  • Calendars.ReadWrite - read and write calendars

  • User.Read - read users full profile

  • Mail.Send - send email

  • Place.Read.All - read all company places

  • openid - sign in and read user profile

  • offline_access

All requested permissions are limited to the connected service user account. Our application can only view and act on data that the service user already has access to within Microsoft, and cannot access any additional users, calendars, mailboxes, or organizational data outside of that scope.

Step 1: Create the Service User in Microsoft

Create a single service user to represent your interview calendar. This must be a primary user with at least a basic license. ModernLoop recommends one these naming schemes for your service user as the email address will be visible to candidates and interviewers.

Examples

Company Interviews interviews@yourcompany.com

Company Recruiting recruiting@yourcompany.com

PowerShell Script to Reduce Service User to Availability Only

This is an example of a script that will restrict the service user to Free-Busy blocks on every calendar at your company. You can edit this script as needed to comply with your company's security standards.

After set up, this should be run on a recurring basis or whenever a new account is created.

# Load Exchange Online module if not already loaded
if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
    Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force
}

Import-Module ExchangeOnlineManagement

# Connect to Exchange Online
Connect-ExchangeOnline

# Define the calendar access user
# This is where you add you service users email address
$calendarViewer = "interviews@YOURDOMAIN.com"

# Get all user mailboxes (excluding shared/system)
$mailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited

foreach ($mb in $mailboxes) {
    $calendarIdentity = "$($mb.PrimarySmtpAddress):\Calendar"
    
    # Skip if the mailbox belongs to the calendar viewer
    if ($mb.PrimarySmtpAddress -eq $calendarViewer) {
        Write-Host "Skipping $calendarViewer's own calendar..." -ForegroundColor Gray
        continue
    }
    
    try {
        # Remove any existing permission for interviews@ before setting new one
        $existingPerm = Get-MailboxFolderPermission -Identity $calendarIdentity -User $calendarViewer -ErrorAction SilentlyContinue
        if ($existingPerm) {
            Write-Host "Removing existing permission for $calendarViewer on ${calendarIdentity}..." -ForegroundColor Yellow
            Remove-MailboxFolderPermission -Identity $calendarIdentity -User $calendarViewer -Confirm:$false
        }
        
        # Set AvailabilityOnly permission
        Write-Host "Setting AvailabilityOnly on ${calendarIdentity} for $calendarViewer..." -ForegroundColor Cyan
        Add-MailboxFolderPermission -Identity $calendarIdentity -User $calendarViewer -AccessRights AvailabilityOnly
    } catch {
        Write-Host "Failed to set permissions on ${calendarIdentity}: $_" -ForegroundColor Red
    }
}

# Disconnect from Exchange
Disconnect-ExchangeOnline

Step 2: Create the OAuth Application in Microsoft

(Directory + Calendar Setup via Azure Enterprise Application)

To access directory and calendar information necessary for scheduling, you must create an Enterprise Application in your Azure Gov Cloud. Follow the steps below.

Step-by-Step Guide to Creating an Enterprise Application

  1. Sign In to Azure Gov Cloud:

    Log in to the Microsoft Azure portal using an account with permissions to create an enterprise application.

  1. Register a New Application:

    1. Navigate to App Registrations and click New Registration.

      image.png

    1. Enter ModernLoop or a preferred application name in the Name field.

    1. Select the Multi-tenant option.

    1. Leave the Redirect URL field empty.

    1. Click Register.

      image 1.png

  1. Assign Permissions:

    1. Navigate to the newly created application.

    1. Click on API PermissionsAdd a Permission.

    1. Add the following permissions under the Microsoft Graph API:

      • Calendars.ReadWrite Read and write calendars in all mailboxes

      • MailboxSettings.Read Read all user mailbox settings

      • Place.Read.All Read all company places

      • User.Read.All Readall users' full profiles

        image 2.png

    1. Once permissions are added, click Grant admin consent for ModernLoop.

      image 3.png

  1. Create a Client Secret:

    1. Go to Certificates and SecretsClient Secrets.

    1. Click New Client Secret.

    1. Add a description (e.g., ModernLoop Integration).

    1. Set an expiration date that matches or exceeds your ModernLoop contract end date.

    1. Click Add.

    1. Save the Client Secret Value immediately, as it will only be shown once.

      image 4.png

  1. Add Authentication Redirect URLs:

    1. Go to AuthenticationAdd a Platform.

    1. Add the following redirect URLs:

      • https://api.modernloop.io/integration/outlook/oauth/callback

      • https://mloop.prod.modernloop.io/integration/outlook/oauth/callback

      • https://modernloop.us.auth0.com/login/callback

      • https://auth.modernloop.io/login/callback

    1. Ensure Access Tokens are selected for these endpoints.

      image 5.png

  1. Provide Credentials to ModernLoop:

    Share the following details with the ModernLoop team to complete the integration:

    • Application ID

    • Directory (Tenant) ID

    • Client Secret Value (from step 4)

      image 6.png

Integration Instructions

Make sure you have already provided ModernLoop with the credentials from the application created in Step 6 above before following these steps.

  1. Log in to ModernLoop at https://app.modernloop.io/ using your Microsoft 365 account.

  1. Click Connect Microsoft GCC High (Service User)

CleanShot-05-13-2026-NqIozYjD.png

  1. Review the permissions on the Organization App Consent screen

  1. Click Accept to grant the necessary permissions.

Allow up to 24 hours for Microsoft to sync with ModernLoop.