Introduction

Places Live

Places Live is a browser-based suite of tools for managing and reporting on Microsoft Places resources via the Microsoft Graph API. No software installation is required — everything runs directly in a modern web browser.

Built by AVI-SPL, Places Live gives workplace managers, IT administrators, and facilities teams full visibility and control over their Microsoft Places estate: from creating and editing buildings, floors, sections, rooms, workspaces, and desks, to uploading georeferenced floor maps and exporting live inventory data for reporting.

Microsoft Places required Places Live is a management layer on top of Microsoft Places. Your organisation must have Microsoft Places deployed and configured in your Microsoft 365 tenant before using Places Live.

Key capabilities

Control Center

Create, edit, and delete all Places resource types. Includes bulk import from CSV and multi-type batch operations.

Map Conversion Beta

Convert PDF or image floor plans into georeferenced IMDF packages ready for upload to Microsoft Places.

Map Import & Export

Upload IMDF floor map packages to Places buildings and export full resource inventories as CSV.

Desk Status Report

Read-only desk inventory grouped by building, floor, and section. Filter, search, and export to CSV.

How Places Live is deployed

Places Live is a fully static web application hosted on a global CDN. There is no application server, no database, and no server-side processing of your data. All Microsoft Places data is retrieved and modified directly between your browser and the Microsoft Graph API. AVI-SPL never receives or stores your organisation's Places data.

Attribute Detail
DeploymentGlobal CDN (static hosting)
AuthenticationMicrosoft MSAL.js — OAuth 2.0 PKCE
Data sourceMicrosoft Graph API v1.0
Data storageNone — no AVI-SPL backend
Multi-tenantYes — any approved Microsoft 365 organisation
Browser supportAll modern browsers (Chrome, Edge, Firefox, Safari)

Getting Started

Getting Started

Before you can use Places Live, there are a small number of prerequisites to confirm. Once those are in place, accessing the tools takes less than a minute.

Prerequisites

The following must be in place before your organisation can use Places Live:

Requirement Details
Microsoft 365 account Users sign in with their existing work or school Microsoft 365 account. Consumer Microsoft accounts (personal Outlook, Hotmail) are not supported.
Microsoft Places licence Your organisation must have Microsoft Places deployed and licensed. Contact your Microsoft account team or AVI-SPL for licensing information.
Admin consent granted A Microsoft 365 Global Administrator or Privileged Role Administrator must grant admin consent for the required Graph API permissions on behalf of the organisation. See Admin Consent for details.
AVI-SPL access enabled Your organisation's Microsoft 365 tenant ID must be on the Places Live access allowlist. Contact AVI-SPL to arrange this.
First time? If you are a new customer, contact AVI-SPL to initiate onboarding. We will verify your tenant, arrange admin consent, and enable access. The process typically takes less than one business day.

Your first sign-in

  1. Navigate to places.tandilab.com/app/ in a modern browser. You will see the Places Live sign-in screen.
  2. Click Sign in with Microsoft. You will be redirected to the standard Microsoft authentication page hosted by Microsoft (login.microsoftonline.com).
  3. Authenticate with your Microsoft 365 work or school account. If your organisation uses multi-factor authentication (MFA), complete the MFA challenge as normal.
  4. On your first sign-in, Microsoft may prompt you to accept the permissions requested by the Places Live application. If admin consent has already been granted organisation-wide, you will not see this prompt.
  5. You will be redirected back to the Places Live portal and signed in. Your session is cached locally so you will not need to sign in again when switching between tools or returning in the same browser.
Access not enabled? If you see an "Access Not Enabled" message after signing in, your organisation's tenant has not yet been added to the access allowlist. Contact AVI-SPL to arrange access. Signing out and retrying with a different account will not resolve this — access is controlled at the tenant level.

Navigating the portal

After signing in you land on the Places Live portal — a dashboard that links to all available tools. Each tool opens in its own URL but shares your sign-in session, so you do not need to authenticate again when switching between applications.

Use the Sign out button in the top-right corner of any tool to end your session. This clears your cached credentials from the browser and signs you out of your Microsoft account on that device.

Applications

Control Center

Control Center is the primary management application in Places Live. It provides full create, read, update, and delete (CRUD) capabilities for every Microsoft Places resource type your organisation has configured.

Write permissions required Creating, editing, and deleting resources requires Place.ReadWrite.All admin consent. Read-only browsing requires only Place.Read.All.

Resource hierarchy

Microsoft Places organises resources in a strict parent-child hierarchy. Control Center reflects this structure in its tree view:

Hierarchy
Building          (root — must exist in Entra ID, cannot be created via API)
  └─ Floor        parentId = building.id
       └─ Section       parentId = floor.id
            ├─ Desk          parentId = section.id
            ├─ Workspace     parentId = section.id
            └─ Room          parentId = section.id  (or floor.id if no section)

Buildings are read-only in the Graph API — they must already exist in your Microsoft Entra ID directory. All other resource types can be created, edited, and deleted through Control Center.

Resource types

TypeCreateEditDeleteNotes
BuildingNoNoNoManaged via Microsoft Entra ID
FloorYesYesYesRequires a parent building
SectionYesYesYesRequires a parent floor
RoomYesYesYesParent can be floor or section
WorkspaceYesYesYesSupports reservable / drop-in / assigned / unavailable modes
DeskYesYesYesSupports reservable / drop-in / assigned / unavailable modes

Desk and workspace modes

Desks and workspaces support four booking modes in Microsoft Places:

ModeDescription
ReservableCan be booked in advance through Microsoft Places or Teams
Drop-inFirst-come, first-served — no booking required
AssignedPermanently assigned to a named individual (requires email address)
UnavailableNot available for use (e.g. under maintenance, reserved for another purpose)

Filtering and searching

The filter bar at the top of Control Center lets you narrow the tree view by building, floor, section, and resource type. The search box filters by display name in real time. Use Expand All and Collapse All to control tree depth.

Bulk import

Control Center includes a Bulk Import function accessible from the top navigation bar. This allows you to create multiple resources at once by uploading a CSV file.

Single-type import

Import a batch of one resource type (e.g. desks only) into a selected parent building, floor, or section. Download a CSV template from the import modal for the correct column headers.

Multi-type import

Import multiple resource types in a single CSV file. Each row specifies its own type and full parent path by name. The import engine processes rows in dependency order (floors before sections before desks/rooms), resolving parent names to IDs automatically. This is the fastest way to populate a new building from scratch.

The multi-type CSV uses 19 columns:

CSV columns
type, building, floor, section, displayName, label, sortOrder, capacity,
nickname, teamsEnabled, audioDevice, videoDevice, displayDevice, mode,
assignedEmail, reason, heightAdjustable, wheelchair, tags
Template download Always download the CSV template from the Import modal rather than building headers manually. The template reflects the exact column order expected by the import engine.

Map Conversion Beta

Map Conversion converts existing floor plan files into georeferenced IMDF (Indoor Mapping Data Format) packages that Microsoft Places can display as interactive floor maps.

Beta feature Map Conversion is in early access. The tool is fully functional but outputs should be reviewed before uploading to Microsoft Places. Behaviour may change between releases.

Supported input formats

PDF JPG / JPEG PNG DXF

Workflow overview

  1. Upload a floor plan file. The application renders it as a background canvas.
  2. Draw room polygons by clicking to place vertices. Assign each polygon an IMDF semantic label (e.g. room, restroom, corridor).
  3. Optionally use Auto-detect (flood-fill with adaptive thresholding) to detect room boundaries automatically from the floor plan image.
  4. Place desk pins to mark individual desk positions on the floor plan.
  5. Run OCR to read room label text directly from the floor plan image.
  6. Correlate drawn features with your existing Microsoft Places resources (optional — requires sign-in).
  7. Export the finished IMDF package as a ZIP file, or upload it directly to a Microsoft Places building.
Sign-in is optional for drawing You can complete the floor plan drawing and export steps without signing in. Sign-in is only required to load the list of buildings and floors from Microsoft Places, or to upload the finished IMDF package directly to a building.

Re-correlating an existing IMDF

If you already have an IMDF ZIP (for example, one exported from another tool), you can import it into Map Conversion to adjust correlations with your current Places resources and re-export. This is useful when resource IDs change after a reorganisation.

Map Import & Export

Map Import & Export provides a simple interface for uploading floor map packages to Microsoft Places buildings and exporting a full resource inventory as a CSV file.

Floor map upload

To upload a floor map to a building in Microsoft Places:

  1. Select the target building from the dropdown. Buildings are populated from your Microsoft Places tenant.
  2. Drag and drop (or browse to) an IMDF ZIP file. The file must be a valid IMDF package.
  3. If the selected building already has a floor map, a warning is displayed. Confirm the overwrite to proceed.
  4. Click Upload. The file is encoded and submitted to the Graph API. Microsoft Places processes the map asynchronously — this typically takes a few minutes to appear in the Places client.
Uploading replaces the existing map Uploading a new IMDF package to a building permanently replaces the existing floor map. This action cannot be undone from within Places Live. Ensure you have a copy of the original IMDF before proceeding.

Resource export

The export function fetches every place resource under a selected building — floors, sections, rooms, workspaces, and desks — and downloads the data as a CSV file.

Export CSV columns:

CSV
PlaceId, DisplayName, Type, Identity, ParentId

This export is useful for auditing the Places resource IDs associated with a building before or after a map upload.

Desk Status Report

Desk Status Report is a read-only application that shows a live inventory of every desk in your Microsoft Places tenant, grouped by building, floor, and section. It is designed for facilities teams who need a clear operational view of desk allocation without requiring write access.

Read-only access The Desk Status Report uses a separate App Registration with read-only permissions (Place.Read.All only). It cannot make any changes to your Microsoft Places data.

Features

  • Hierarchical tree view — desks are grouped Building > Floor > Section with collapsible nodes
  • Mode badges — each desk displays its current mode: Reservable, Drop-in, Assigned, or Unavailable
  • Filter bar — filter by building, floor, section, or mode
  • Search — filter by desk display name in real time
  • Statistics bar — totals for each mode shown at a glance
  • CSV export — download the full filtered view as a CSV

CSV export columns: Building, Floor, Section, Desk, Mode, Info

Authentication

Authentication

Places Live uses the Microsoft Authentication Library (MSAL.js) to authenticate users via their existing Microsoft 365 credentials. AVI-SPL never handles, receives, or stores passwords.

Sign-in flow

Places Live implements the OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange), as recommended by Microsoft for browser-based applications.

Auth flow
1. User clicks "Sign in with Microsoft"
2. Browser redirects to login.microsoftonline.com
3. User authenticates with Microsoft (password + MFA if configured)
4. Microsoft issues an authorisation code
5. MSAL exchanges the code for access + refresh tokens (PKCE)
6. Tokens are stored in browser localStorage
7. Browser redirects back to Places Live
8. All subsequent Graph API calls use the Bearer token

At no point does the Places Live application (or AVI-SPL servers) receive the user's password. Authentication is handled entirely by Microsoft's identity platform at login.microsoftonline.com.

Sessions and token caching

MSAL stores authentication tokens in the browser's localStorage. This means:

  • Your session persists across browser tabs and windows — you do not need to sign in again when opening a new tab
  • Your session persists after closing and reopening the browser (until the token expires or you explicitly sign out)
  • The session is shared between all Places Live tools — signing in once gives you access to Control Center, Map Conversion, Map Import & Export, and Desk Status Report without additional authentication
  • The session is browser and device specific — signing in on Chrome does not affect your Edge session, and signing in on your laptop does not affect your desktop
Token refresh MSAL automatically refreshes access tokens silently in the background before they expire. You will only be prompted to sign in again if the refresh token itself expires (typically after 90 days of inactivity) or if your organisation's Conditional Access policies require re-authentication.

Signing out

Clicking Sign out in any Places Live tool calls msalApp.logoutRedirect(), which:

  1. Clears all cached tokens from localStorage
  2. Redirects to Microsoft's logout endpoint to invalidate the session on Microsoft's side
  3. Returns you to the Places Live sign-in screen

If you are on a shared or public computer, always use Sign out before leaving. Closing the browser tab without signing out does not clear the localStorage session.

Microsoft Graph API permissions that access organisational data require admin consent — a one-time approval by a Microsoft 365 Global Administrator or Privileged Role Administrator on behalf of the entire organisation.

Places Live requires admin consent for the following permissions:

PermissionTypePurpose
User.Read Delegated Read the signed-in user's profile (name, email, tenant ID). Used to display the user's name in the navigation bar and to verify tenant access.
Place.Read.All Delegated Read all Microsoft Places resources (buildings, floors, sections, rooms, workspaces, desks) in the tenant. Required for all tools.
Place.ReadWrite.All Delegated Create, update, and delete Microsoft Places resources. Required only for Control Center and Map Import. The Desk Status Report does not request this permission.

Once admin consent is granted, individual users do not need to approve permissions separately — they can sign in and immediately access the tools.

Admin consent scope Admin consent grants the application permission to request these scopes from users in your organisation. Each user still authenticates individually — admin consent does not allow AVI-SPL or Places Live to access data on behalf of users without their sign-in.

Multi-tenant access

Places Live is a multi-tenant application. Users from any Microsoft 365 organisation can sign in, provided their organisation's tenant has been approved by AVI-SPL and added to the access allowlist.

The allowlist is maintained by AVI-SPL and is injected into the application at build time. Each entry can optionally carry an expiry date, after which access is automatically revoked. This allows AVI-SPL to offer time-limited trial or pilot access to new organisations.

If a user's tenant is not on the allowlist, they will see the "Access Not Enabled" screen immediately after signing in, before any Places data is accessed.

Security

Security

Security and data privacy are central to the design of Places Live. The application is built on a zero-backend architecture — AVI-SPL never receives, processes, or stores your organisation's Microsoft Places data.

Data handling and privacy

The Places Live application contains no server-side code that handles your data. All interactions with Microsoft Places go directly between your browser and the Microsoft Graph API:

Data flow
Browser  ──────────────────────►  Microsoft Graph API (graph.microsoft.com)
         <──────────────────────  Places data (in-memory only)

Browser  ──────────────────────►  Microsoft Identity (login.microsoftonline.com)
         <──────────────────────  Auth tokens (localStorage)

Specific data handling guarantees:

  • No AVI-SPL data storage: Your Places resources, user information, and organisational data are never transmitted to or stored by AVI-SPL servers.
  • No analytics or telemetry: Places Live does not embed analytics trackers, session recording, or telemetry that captures user behaviour or data.
  • In-memory only: Resource data loaded from the Graph API is held only in browser memory for the duration of the session. It is not written to disk, localStorage, or IndexedDB.
  • Auth tokens only: The only data written to browser storage (localStorage) is the authentication tokens managed by MSAL.js — standard practice for browser-based Microsoft 365 applications.

Graph API permissions

Places Live requests the minimum permissions necessary for each tool. Permissions are delegated — they act on behalf of the signed-in user and are constrained by that user's own Microsoft 365 role and permissions.

ToolPermissions requested
Places Live Portal User.Read
Control Center User.Read Place.Read.All Place.ReadWrite.All
Map Conversion User.Read Place.Read.All Place.ReadWrite.All
Map Import & Export User.Read Place.Read.All Place.ReadWrite.All
Desk Status Report User.Read Place.Read.All only — no write access
Limiting write access If you want to restrict a team of users to read-only access, point them to the Desk Status Report only. It uses a separate App Registration that only requests read permissions, so even if a user tries to use the Control Center URL, they would need to authenticate separately with write-scoped tokens.

Tenant isolation

Tenant isolation operates at two independent layers:

  1. Microsoft Graph API layer: All API calls are made with the signed-in user's delegated token. The Graph API enforces that a user can only access data within their own Microsoft 365 tenant. It is architecturally impossible for a user from Tenant A to read Tenant B's Places data via this mechanism — this is a Microsoft-enforced boundary.
  2. Places Live allowlist layer: On top of the Microsoft boundary, Places Live maintains its own allowlist of approved tenant IDs. A user whose tenant is not on the allowlist is blocked at the portal level — before any resource data is loaded — even though their Microsoft credentials are valid.

Transport security

  • HTTPS only: All Places Live pages are served exclusively over HTTPS. Plain HTTP is not permitted.
  • HSTS: HTTP Strict Transport Security (HSTS) is enforced for the production domain.
  • Graph API: All calls to the Microsoft Graph API use HTTPS (TLS 1.2+). The API endpoint is https://graph.microsoft.com/v1.0.
  • Microsoft Identity: Authentication redirects target https://login.microsoftonline.com exclusively.
  • CDN delivery: Static assets are served from a global CDN with TLS termination at edge nodes.
Reporting a security concern If you believe you have identified a security vulnerability in Places Live, please contact us at places@tandilab.com. Do not disclose potential security issues publicly.

FAQ

Frequently Asked Questions

Answers to the most common questions about Places Live. If your question isn't answered here, contact your AVI-SPL account team.

Microsoft Places is a Microsoft 365 service that provides workplace intelligence — helping organisations manage physical spaces such as meeting rooms, desks, and floors. It integrates with Microsoft Teams and Outlook to enable hot-desking, room bookings, and occupancy insights. Places Live is a management tool built on top of Microsoft Places using the Microsoft Graph API.

No. Places Live runs entirely in a modern web browser. There is nothing to download, install, or configure on your device. All you need is a supported browser (Chrome, Edge, Firefox, or Safari) and a Microsoft 365 account with the appropriate permissions.

Your organisation must have Microsoft Places licences and your tenant must have Microsoft Places deployed and configured. For signing in to Places Live itself, any Microsoft 365 work or school account is sufficient — there is no additional Places Live licence requirement beyond AVI-SPL access being enabled for your tenant.

Contact your Microsoft account team or AVI-SPL for guidance on Microsoft Places licensing.

Contact your AVI-SPL account manager or reach out to AVI-SPL directly. We will confirm your Microsoft Places deployment, add your tenant to the access allowlist, and send your administrator the admin consent link to complete setup. The onboarding process is straightforward and typically takes less than one business day.

No. Places Live has a zero-backend architecture. Your Microsoft Places data travels directly between your browser and the Microsoft Graph API — it does not pass through any AVI-SPL servers. AVI-SPL has no access to, and does not store, your organisation's resource data, user information, or organisational content.

The only data AVI-SPL manages is the access allowlist (a list of approved tenant IDs), which is a configuration file in the Places Live repository. This contains no organisational content.

The Microsoft Graph API permissions that Places Live uses — specifically Place.Read.All and Place.ReadWrite.All — are classified as admin-only permissions because they access organisation-wide data. Microsoft requires that a Global Administrator explicitly approves these permissions on behalf of the organisation before individual users can use them.

Admin consent does not allow AVI-SPL or the Places Live application to access your data independently. It only allows users in your organisation, when signed in with their own credentials, to use those permissions.

Yes. The Desk Status Report tool only requires Place.Read.All — it uses a separate App Registration with no write permissions. Users directed to the Desk Status Report URL can sign in and view desk inventory data without any ability to modify resources.

If you want to grant read-only reporting access to a broader audience, the Desk Status Report is the appropriate tool. For full management access (create, edit, delete), use Control Center, which requires Place.ReadWrite.All.

Clicking Sign out in any Places Live tool clears all authentication tokens from your browser's localStorage and redirects your browser to Microsoft's logout endpoint, which invalidates the active session on Microsoft's side. You are then returned to the Places Live sign-in screen.

On shared or public computers, always use the Sign out button rather than just closing the browser tab. Closing a tab does not remove the cached tokens from localStorage.

Places Live supports all modern evergreen browsers:

Microsoft Edge · Google Chrome · Mozilla Firefox · Apple Safari

Internet Explorer is not supported. Microsoft Edge (Chromium) is recommended for the best experience with Microsoft 365 integrations. JavaScript must be enabled.

Once AVI-SPL has confirmed your tenant and added it to the allowlist, access is typically active within a few minutes. Your administrator will need to complete the admin consent step before users can sign in. AVI-SPL will provide the consent link and guide your administrator through this process.

The Places Live portal and Desk Status Report are responsive and work on mobile browsers. Control Center and Map Conversion are optimised for desktop use — they involve dense data trees and drawing interfaces that require a larger screen and keyboard/mouse interaction for the best experience.

For product support, contact your AVI-SPL account manager or open a support request through your existing AVI-SPL support channel. Each Places Live tool also has a built-in Help button (top-right corner) with contextual guidance for that tool.

For security concerns, please contact places@tandilab.com directly rather than using the standard support channel.