beqom Pay Suite plug-in for Microsoft Outlook & Teams
Overview
The Pay Suite application can be connected to Microsoft Outlook and/or Microsoft Teams for a smoother and more user-friendly experience from the Microsoft workplace tools. Using the beqom plug-in for Microsoft Teams and Outlook, it is possible to bring feedback and growth into your Outlook calendar or your Teams meetings, encouraging people to give and seek feedback to and from internal stakeholders. Enabling this extension will allow you to see notifications, create goals, and provide or request feedback directly from within those two platforms.
The Pay Suite plug-in offers an integration with Outlook and Teams using the Microsoft Web-based platforms. It is comprised of two components: the manifest, which describes how the plug-in integrates into Office applications and JavaScript/HTML code, which makes up the user interface and the business logic of the plug-in.
Supported versions for the plug-in
The plug-in can be used with the following client versions:
Windows: Outlook 2013, Teams and later versions
Mac: Outlook 2016, Teams and later versions
Outlook, Teams for iOS
Outlook on the Web for Exchange 2016 or later, and Office 365
Outlook Web Access for Exchange 2013
Outlook.com, Teams.microsoft.com
Supported plug-in integration types
Currently, the Pay Suite plug-in supports personal static tab integration.
Components
The beqom Pay Suite Outlook & Teams plug-in includes two basic components: an XML manifest file and a cloud-based beqom Outlook Web application (JavaScript, HTML, CSS) packaged into a .zip file. The manifest defines various settings, including the integration of the plug-in with Outlook and Teams clients.
The Web application itself is a single-page application built using modern Web technologies (React for the user interface and Remix for state management). The beqom Web application is a static site hosted in the secured beqom Azure Cloud.
Manifest
The beqom Pay Suite Outlook & Teams plug-in uses a v1.1 manifest schema as well as v1.1 of JavaScript API for Office.
In terms of localization, as a global SaaS provider, beqom supports multiple languages on the platform (both in the Web and office applications).
Security & Roles
Single Sign-On
The beqom Pay SuiteOutlook & Teams plug-in is supported by the SAML2.0 SSO experience, as per the beqom application.
In provisioning of identity in the application, an identity federation is established between the client IdP and Pay Suite. This enables secure authentication for end-users. In order to be authorized in Pay Suite, end-users must have an active user account in the client IdP and in the beqom user database.
beqom SSO is supported across all platforms: desktop (Outlook for Windows and Mac), web (Office 365 and Outlook.com) and mobile.
Data flow
From the perspective of the plug-in, the flow of data is unidirectional read-only. The direction of the data is from Ms Office application to the Pay Suite application. beqom has no permission to send data to Office or to write data to Office applications.
The beqom Pay Suite plug-in communicates with the back-end services using a secure HTTPS connection.
When first running either plug-in, users must authenticate using SSO or regular credentials. Upon authentication of the user’s identity, the beqom identity service issues an access token for the user, which will be used to communicate with the Pay Suiteback-end services.
Each request that is sent to the back-end is signed with this access token, and its validity and integrity are verified by the back-end.
The beqom Pay Suite plug-in sends user data to the RESTful beqom API in JSON format. The date is then processed by the back-end of the Pay Suite application and stored in the client database (encrypted at rest).
Authentication & authorization
Pay Suite uses access token authentication to secure access to the back-end APIs.
When opening either Pay Suite plug-in, users must log in using SSO or regular credentials. Upon authentication of the user’s identity, the beqom identity service issues an access token for the user, which will be used to communicate with the Pay Suite back-end services.
Each request that is sent to the back-end is signed with this access token, and its validity and integrity are verified by the back-end.
Internally, permission models are based on roles that are assigned to each user. By itself, a role has minimal access permissions; should users need additional rights, they need to request such rights via an approval process. Within the beqom SaaS application; users are provisioned following a "Least Access Principle"; additional roles/permissions must be added by an authorized admin user and cannot be self-assigned.
Outlook & Teams permissions
The Microsoft Office plug-in disclose the level of permissions it requires, identifying the possible access and actions that it can make on the client’s data.
The beqom plug-in uses SSL-secured (HTTPS) endpoints to establish an encrypted connection between themselves and Office applications. This ensures that data is encrypted in transit using a SSL certificate. Data is additionally encrypted at rest in the Pay Suite database.
The Pay Suite plug-in is allowed to perform the following actions:
Receive messages and data provided to them by end-users.
Access the profile information of end users such as theirname, email address, company name and preferred language.
Data privacy
The Office plug-in is secured by a runtime environment, a multiple-tier permission model and performance governance. This framework protects the user experience in the following ways:
Access to the host application's UI frame is managed.
Only indirect access to the host application's UI thread is allowed.
Modal interactions, such as calls to JavaScript alert, are not allowed. Confirm and prompt functions are not allowed because they are modal.
In addition, the runtime framework provides the following benefits to ensure that the Outlook & Teams plug-in is restricted within the user's environment:
It isolates the process in which the plug-in runs.
It doesn't require any .dll or .exe replacement or ActiveX components.
It makes the plug-in easy to install and uninstall.
Out-of-scope data
The beqom Pay Suite Office plug-in only supports users that exist within the application database. This limitation is applied all current scenarios: “Give feedback to sender” and “Add this feedback to beqom”. In other words, for feedback to be added to or shared in Pay Suite, both the sender and the receiver must be active users in the platform.
If a person is not an authorized user within the Pay Suite database, the plug-in will generate an alert highlighting this limitation.
Additionally, if deployed, Data Privacy Consent must be given by the user. If the data privacy consent statement is activated in the customer’s Pay Suite instance, the statement must be accepted by the user for the receiver to add feedback to Pay Suite from Microsoft Outlook and/or Teams.
Distribution
Presently, the Pay SuiteOutlook and Teams plug-in can be distributed via a .zip manifest file for import.
The plug-in can be installed for specific end-users only or for the entire organization via the O365 Administration portal; in this case, the Centralized Deployment feature in the Office 365 Administration Center can be used.
beqom recommends installing the Pay Suite plug-in via Microsoft AppSource. This process is similar to the current delivery of beqom mobile applications via Apple and Google stores.
Updates and releases of the plug-in are performed on a regular basis by the beqom development team and do not require any actions on the customer side. All updates to Pay Suite are executed in line with beqom's release strategy; this includes new releases, enhancements and patching activities.
Due to the separation of the Web plug-in and the beqom Pay SuiteWeb application, end-users are not required to make any updates after installation of the plug-in(s) (.zip manifest). If a customer wishes to manually deploy the plug-in (i.e. not via download through MS AppSource), the global administrator must then update the plug-in.
The beqom team is responsible for handling the SSL certificate rotation for plug-in in the scope of the beqom SaaS platform.
Installation
Enabling the plugins from Pay Suite
To enable any of the extensions, proceed as follows:
Navigate to Workbench > Platform Setup > Extensions & Plugins and chose which program you would like to enable - MS Teams or MS Outlook.
Tick the box to enable beqom for MS Team or MS Outlook.
Click Save button located at the top right side of the window to keep your changes.
Deploying the plug-in for your entire organization (centralized deployment)
To install the Pay Suiteplug-in for your organization, proceed as follows:
Login to the Office 365 Admin Portal.
In the admin center, go to Settings > Integrated apps > Add-ins.
Select Deploy Add-in at the top of the page, and then select Next.
Choose one of the following options on the Centralized Deployment page:
Choose from the Office Store
Upload custom apps. For this option, select Browse to locate the manifest file (.zip) that you want to use.
Select Next. If you selected the option to add a plug-in from the Office Store, you can now search for beqom plug-in.
On the next page, select Everyone, Specific users/groups, or Just me to specify for whom the plug-in is being deployed. Use the search box to find specific users or groups.
Select Deploy.
The plug-in is typically deployed to target users typically within 12 hours. Users may however need to relaunch Microsoft Office to see the plug-in icon inside applications
Deploying the plug-in in a targeted environment
If your organization has several environments of the Pay Suite platform, for instance for testing and production, you cannot install from the Office store because the generic plug-in from the store will not know which environment to target. In this case, you need to contact the beqom support and a specific manifest targeting the relevant environment(s) will be produced for you to install for your company.
Once this is done, you can just follow the steps described in Deploying the plug-in for your entire organization (centralized deployment). At step 4 of the procedure, select Upload custom apps and browse for the zip plug-in provided by beqom.
Plug-in updates
In the case of an installation of the plug-in from the Office Store, all updates to the plug-in .zip manifest are automatically made available to users without any administration on your side.
With manual upload of the .zip manifest document, you have full management rights for the plug-in. In this case, any required updates to the plug-in will be done through the approval process, by providing the new version of beqom .zip manifest.
Overwiew of the plug-in in Teams & Outlook
The following figures illustrate the Pay Suite in Microsoft Outlook and Microsoft Teams, respectively:
Pay Suite plug-in in Microsoft Outlook.
Pay Suite plug-in in Microsoft Teams.
Feature coverage
The Pay Suite plug-in in allows you to access many of the features from the main application, allowing you for a seamless usage and quick access to common performance management features related to feedback, goals, check-ins and notifications.
-
Feedback features accessible via plug-in:
Searching for workers and managers
Giving and requesting feedback from other workers and managers
Creating feedback notes
Viewing your feedback summary
-
Goals features accessible via plug-in:
Creating a goal
Viewing recent goals
-
Check-ins features accessible via the plug-in:
Creating a check-in
Viewing the next three check-ins
-
Notifications features accessible via plug-in:
Viewing the list of notifications
Navigating to the corresponding page in the Pay Suite application after clicking a notification in the list