Zoom Calendaring Endpoints

Web Calendaring Service

The Web Calendaring Service is the heart of Zoom’s ability to deliver calendaring information to all Zoom apps.

What information does Zoom store?

The Zoom Web Calendaring Service stores the objects required to authenticate to each user’s calendaring provider. This means Zoom stores the refresh token when organizations use OAuth, and it also means that Zoom stores the account username and password when organizations use Basic authentication to Exchange On-Premises.

When the optional bi-directional calendar sync is enabled, Zoom will store 30 days of sanitized user calendaring data in the cloud. The Web Calendaring Service only stores calendaring events associated with a Zoom Meeting, and disregards all other calendar events. During data sanitization, all descriptions, organizers, meeting topics, times, recurrenceInfo, and organizerId fields are stored. This information is permanently discarded after the event.

Admins can configure this feature on an account or user group level. Refer to our support documentation for more information

How are stored tokens and credentials protected?

The stored tokens and credentials are encrypted at rest using 256-bit AES-GCM encryption. This data is considered customer content and subject to Zoom’s access control policies and standards. These controls are assessed by independent audit firms where indicated in our security certifications and attestations, such as the SOC 2. Privileged access to infrastructure data and systems is logged, monitored, and controlled using multi-factor authentication and least-privilege access controls.

How is the traffic between apps and the calendar provider protected?

Communications between calendar providers and any Zoom software — Zoom desktop/mobile apps, Zoom Web Calendar Service, scheduling tools, and the API connector — are encrypted in transit using TLS 1.2.

How long is an OAuth token good for?

Zoom will request access tokens that expire in 1 hour and refresh tokens that expire in 90 days, but calendaring providers may provide tokens with alternate limits. Follow your provider’s instructions if you need to modify the default values.

Can I revoke an OAuth token or credential?

Zoom administrators can choose to remove the calendar integration from a single Zoom account at any time, which will prevent the user’s calendaring from functioning. Immediately delete any stored tokens or credentials for that user.

Microsoft 365 administrators can remove Zoom’s calendar access from all user accounts by deleting the Zoom application in the Entra ID Enterprise Application portal, and Google Workspace administrators can revoke access using the Google Cloud Platform Console.

Can I limit Zoom’s ability to write calendar or contact data to a provider?

After initial configuration, Zoom administrators can choose between Read and Read/Write permissions for both calendaring and contacts when connecting through Microsoft 365 methods. Administrators can also limit Google Workspace integrations for user calendars.

Desktop and Mobile Apps

Do the Zoom apps store any calendaring or contact data?

Zoom apps hold calendaring information in temporary memory (RAM) and do not persist any items to the local disk. This includes authentication tokens, credentials, calendar event information, and contact data. This data is no longer available once the client exits.

What happens at sign-in?

Zoom apps initiate a full refresh at each sign-in to collect the list of upcoming events. This involves receiving its OAuth access token or stored credentials from the Zoom Web Calendar Service and then using that object to refresh event data directly from the calendaring provider. If the access token is invalid, the Zoom Web Calendar Service will use the refresh token to request and pass a new access token to the client.

How does the client know to refresh its upcoming event list?

The Zoom Web Calendar Service subscribes to a calendaring provider webhook for each user after the calendar is connected in the web portal. These webhooks notify the Web Calendaring Service of any changes so it can then notify the Zoom client that an update is needed. Finally, the Zoom client will request an update directly from the calendaring provider. Apps that do not receive an update notification will refresh their event list every 30 minutes.

What meeting details are available to the client?

Zoom apps display meeting data after sanitizing the events it parses, which means it has discarded all of the attributes it does not use. The event attributes saved for use and discarded are outlined in the table below.

Saved for Display in Client

Discarded and not Retained

  • Subject

  • Attendees

  • Description

  • Sender email address*

  • To/CC/BCC email address*

  • Attachments*

  • Email body content*

  • Date and duration

  • Zoom Meeting URL

  • If the meeting includes a Zoom Room

  • Location

  • Room Resources

*Only when event capture powered by AI Companion 2.0 is enabled

Is any calendaring data stored in client logs?

Zoom apps will not print sensitive calendar data like tokens, credentials, or events into any client logs.

Scheduling Tools

Zoom offers a variety of tools to simplify the Zoom meeting scheduling experience with Microsoft and Google products. These products include native scheduling integrations for Google Workspace and Microsoft 365, or software extensions for use with select browsers and Outlook.

How do the scheduling tools work?

All scheduling tools, except for the Outlook Plugin, directly submit API requests to both the calendaring provider and Zoom's Web Calendaring Service. The Outlook Plugin is distinct in that it schedules a meeting through the Zoom desktop client, which submits the API request to the Zoom Web Calendaring Service on behalf of the plugin.

What information is sent to Zoom when scheduling with a tool?

The only data retained when using a scheduling tool is information required to schedule a meeting. For example, when a user schedules a Zoom meeting using the Microsoft 365 add-in, the add-in will use the event subject, date, time, timezone, and recurrence flag to schedule the Zoom meeting. The Zoom add-in does not request or use additional detail like the body or attendee list.

Are there any firewall or security requirements?

The scheduling tools do not require any additional firewall or security changes beyond what is already necessary for calendaring integrations. The full list of requirements is documented in network and firewall rules for Zoom.

What is the difference between the Outlook Plugin and the Outlook add-in?

The Outlook Plugin is installed on an end user’s machine and assists users with scheduling Zoom meetings through their Outlook client. The plugin communicates with the Zoom Workplace desktop client through an interprocess communication channel (IPC). Using this IPC, the plugin sends schedules to Zoom’s Web Calendaring Service through the client’s resources.

To provide the best experience for our users while adhering to policies and guidelines set by Apple and Microsoft, Zoom is highly recommending the deployment and utilization of the Zoom for Outlook add-in. The add-in provides you with easier deployment and more robust administrative management solutions, is actively supported by Microsoft, and better meets the recently enhanced security requirements of vendors like Apple.

The Outlook add-in is a web-based application that does not require local installation on user machines and instead appears as a built-in web app, available both in the local client and Outlook on the web. The add-in operates through web APIs that communicate directly with Zoom’s Calendaring Web Service.

The plugin and add-in provide similar functionality, but the add-in requires the Outlook JavaScript API requirement set v1.8 — a version that exists only in modern versions of Outlook and is not available for Exchange Server on-premises at all — to be available. This means:

  • The Outlook add-in cannot be used for delegate scheduling with on-premises Exchange Server.

  • Delegates must use the Microsoft 365 Outlook client, Outlook 2021 or later for Mac/PC, or Outlook on the Web to schedule meetings on behalf of another user.

How can I identify the official Zoom add-in Application?

The official Zoom for Outlook application available from the Microsoft AppSource store installs to your Entra ID Enterprise Apps directory under the name “Zoom-Office-add-in-SSO” with the Application ID ce63c970-e2d7-45e6-bee1-80c330b0800b.

Do I need to update the Outlook Plugin or add-in?

As of January 2025, Microsoft has begun replacing legacy Exchange Online tokens with Nested app authentication (NAA). Zoom admins, in collaboration with Entra admins, should configure NAA within the Zoom web portal following the instructions in the support article Configuring nested app authentication for Office add-ins.

Note

Nested app authentication (NAA) is only supported with Exchange Online. Organizations using Exchange 2019 (or other on-premises versions of Exchange) will need to continue utilizing legacy Exchange user identity tokens and callback tokens, as these are not blocked in on-premises environments.

Otherwise, the Zoom for Outlook add-in is a web-based application that does not require local installation on user machines and instead appears as a built-in web application that operates through web APIs to communicate with Zoom’s Web Calendaring Service. The add-in is available for Windows and macOS Outlook apps, Android and iOS Outlook apps, and Outlook on the web. The add-in can be configured and mass-deployed by Outlook administrators or installed by individual users.

The Outlook Plugin operates as an installed piece of software, which is subject to occasional updates and enhancements. Consequently, the plugin requires version management and upgrades over time.

Note

Nested app authentication is not required for the Outlook Plugin.

Which scheduling tool is best suited for my environment?

Google Workspace

Organizations using Google Workspace can easily enable all users to schedule Zoom Meetings through Google Calendar by installing the Zoom for GSuite app from the Google Workspace Marketplace. The app is centrally managed and automatically updates as Zoom submits enhancements to Google.

Alternatively, the browser-based extensions are also available for use, but are generally more suited for personal account users because they require a local installation, periodic updates and are not centrally managed.

Microsoft

For organizations using Microsoft 365 or on-premises Exchange Server, the best option depends on both the environment and how calendar integration is configured.

The Zoom for Outlook add-in is the preferred tool for Microsoft 365 environments—whether you're using the desktop, web, or mobile versions of Outlook. The add-in requires Outlook for Microsoft 365, Outlook 2013 or later for Windows, or Outlook 2016 or later for Mac.

To ensure seamless calendar updates, organizations should also enable bi-directional calendar sync. This allows Zoom to automatically reflect changes made to Outlook calendar events—such as rescheduled times or cancellations—without requiring users to manually update or remove meetings via the add-in. This is especially important because Zoom meeting links can expire if changes aren't captured, particularly when a meeting is moved more than 30 days beyond its original date. Meeting IDs typically expire after 30 days unless they are part of a recurring series.

The modern JavaScript API (v1.8), which powers event-based automation like OnAppointmentSend, isn’t supported by the following environments and applications:

  • On-premises Exchange environments

  • Classic Outlook connected to M365

  • Mobile Outlook on iOS and Android

As a result, Zoom cannot automatically detect or update meetings through the add-in in these setups. Without bi-directional sync or API-based automation, even recurring meetings may not reflect changes—leading to expired or invalid Zoom links.

The Zoom Outlook Plugin is supported only on Windows systems. It provides enhanced meeting synchronization through direct integration with the Zoom Workplace app, bypassing Microsoft API limitations. While it’s recommended for Windows systems without bi-directional sync, it has notable constraints:

  • Requires IT-managed MSI updates

  • Slower meeting scheduling

  • No macOS or mobile support

Zoom Rooms

Zoom Rooms calendaring integration is performed independently of the user’s desktop or mobile client integration.

After setup, calendar events appear on Zoom Rooms displays, including television screens, scheduling interfaces, and control panels. Users can start or join meetings with one touch on the room controller.

The following steps are a high-level outline of the setup process:

  1. Configure Microsoft Exchange Online and update PowerShell scripts for Zoom Rooms mailbox settings

  2. Set up Microsoft Graph API permissions to enable calendar data access

Zoom recommends Microsoft Graph API with Application Permissions as the standard integration method. This recommendation aligns with Microsoft's plan to remove Exchange Web Services (EWS) protocols. The Graph API method provides the most stable connection between Zoom Rooms and Microsoft 365 calendars.

Note

Organizations using third-party conference room systems (such as Cisco, Poly, and Lifesize) must complete additional steps through the Zoom Enhanced API Connector to ensure proper calendar and meeting functions. Please see our M365 Calendaring Field Guide document for more information on configuring calendaring access for Zoom Rooms.

Which methods can I use to grant access to room mailboxes?

Zoom Rooms calendaring integration relies on the Microsoft Graph API (MGAPI). Microsoft has begun phasing out the Exchange Web Services (EWS) methods which were previously available to connect Microsoft 365 data with Zoom services. Zoom considers these EWS methods to be legacy options.

Google Workspace only has a single method for applying permissions.

Which permissions are required for the service account?

The specific permission will vary depending on the selected method. Each option and the required permissions are detailed in the table below:

Provider

Method

Required Permissions

Microsoft 365/Microsoft Exchange Server

Application Permissions (Microsoft Graph API)

Administrator Account: Organization Management and Recipient Management

Microsoft 365/Microsoft Exchange Server

Full Delegate Access (Microsoft Graph API)

Send As Full Access

Google Workspace

-

Make changes and manage sharing

Zoom Recommendation

Zoom recommends calendar integrations use the Application Permissions method. This configuration requires less administrator effort, and does not require a dedicated service account. It’s also Microsoft’s recommended approach for Enterprise applications running as background services.

Enhanced API Connector

Calendaring integration for standards-based H.323 and SIP room systems through the Enhanced API Connector (released in early 2021) is performed independently of user client and Zoom Rooms configuration. The service account methodology and permissions is identical to the Zoom Rooms section previously covered.

What is different about the Enhanced API Connector data flow?

Room systems connected through the Enhanced API Connector will not contact calendaring providers directly, which differs from the Zoom client and Zoom Room connection flows. The Zoom Web Service acts as a client for these systems and will push calendaring data directly to the endpoints, with an exception for Poly devices. Poly devices will first query the Zoom Web Service for calendaring updates, which then transmits calendaring data to the device.

How many days of calendar events are retrieved?

The Enhanced API Connector retrieves upcoming meeting data for the next 30 days and removes completed meetings from storage after 30 days.

Last updated

Was this helpful?