How are Exchange Online permissions delegated to VandalStar (Starfish)?

Overview

VandalStar is a web-based retention and advising tool that provides an efficient way to offer coordinated support to all students, ensuring they receive the right type of assistance/intervention to keep them on track. It is powered by Starfish, a solution developed by Hobsons and was acquired by EAB in 2021.

VandalStar has the ability to sync calendars with Exchange Online to allow for viewing and publishing schedules. To accommodate this functionality special access has been provided to a functional account managed by the University of Idaho Academic Advising department.

 

Details

There are two methods to allow the VandalStar functional account to sync calendars with Exchange Online.

  • Explicit Calendar Sharing - The first method involves having an Exchange Online user explicitly share their calendar with the functional account used by VandalStar. During the initial deployment, it was determined this functionality would not work properly due to the potential for per-user throttling enforce by Microsoft on the Exchange Online system. We are not using this feature.
  • Exchange Online Impersonation - The currently deployed method uses elevated permissions within Exchange Online called "impersonation" which allows the VandalStar functional account to have full control over an Exchange Online mailbox which includes all email, contacts and calendar information.

How is the "impersonation" permission assigned to the VandalStar functional account?

Due to the extremely high level of access provided through impersonation there are a limited number of accounts where impersonation access is allowed. This restriction, referred to as a "write scope" is controlled by membership in a special group maintained by the Academic Advising team. VandalStar users have to be explicitly added to this scope group to allow the VandalStar functional account to access the account through impersonation.

Are any additional permissions assigned to the VandalStar account?

In 2021 an additional process was implemented which verified explicit calendar permissions were assigned to the VandalStar functional account every evening. This separate permission was implemented in case the VandalStar account attempted to connect to an account without impersonation. It is provided as a simple fallback control.

How to troubleshoot calendar sharing issues?

  1. Work with Academic Advising to ensure the Active Directory account has been added to the VandalStar Calendar Sharing group.
  2. Wait at least 30 minutes for the calendar sharing group to sync with Exchange Online
  3. Sign-out of VandalStar/Starfish, and close the browser window, to ensure a new session is created on the next sign-in.
  4. Work with Academic Advising and EAB Support to verify Exchange Online "impersonation" is working through tools like: https://testconnectivity.microsoft.com/

VandalStar is currently using "Exchange Web Services" to connect to Exchange Online. You may see the term "EWS" associated with the functional account and when troubleshooting the connection.

Note: the preferred email address in VandalStar directly impacts the Exchange account which needs to be added to the calendar sharing group for "impersonation". For example, if an advisor has the preferred email address "vand1234@vandals.uidaho.edu" but they are signed into VandalStar with their employee account, the vand1234 account needs to allow impersonation as it is used by VandalStar for calendar syncing. It is recommended to add both student and employee accounts to the calendar sharing group as a precaution.

 

Details

Article ID: 1836
Created
Fri 3/12/21 8:53 AM
Modified
Fri 3/12/21 8:54 AM