Versions Compared

Version Old Version 18 New Version 19
Changes made by

Christoph Witzemann

Amar Zerig

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Content

Table of Contents
minLevel1
maxLevel1
outlinefalse
stylenone
excludeContent
typelist
printablefalse

1️⃣ Overview

Application Permission are used to connect a 3rd party application to M365. In this guide, we will show you how you can register the application and give the rights to access the agendas of the meeting rooms. For the connection between the Roomz portal and the application, you will need the client secret, the application ID, and the tenant ID. These details can be obtained by following the guide.

Securing with Mail Enabled Security Groups

Note

To ensure security and prevent the application from accessing all calendars, we use Mail Enabled Security Groups. These groups restrict the application's access to only the necessary calendars. It is crucial to follow the guide carefully to configure these groups correctly, ensuring that permissions are properly set and that the application does not compromise the privacy of other calendars.

By carefully following this guide, you will ensure a secure and efficient integration of the Microsoft calendars with ROOMZ while maintaining strict control over access to sensitive data.

2️⃣ Register the ROOMZ Application

The first step involves creating a ROOMZ application on Microsoft Azure to enable access to the agendas.

A. Open Microsoft Azure Portal and log in with an administrator account.

B. Once logged, search for Azure Active Directory:

...

 

C. On the left panel, search for App registrations:

...

D. Click on + New registration:

...

 

E. Specify the name of the application (e.g. ROOMZGraph) and the first option Account in this organizational directory only

...

 

F. Click on API permissions:

...

 

G. If you already have a permission, you can remove it.

...

H. Then click on + Add a permission, and select Microsoft Graph:

...

 

I. Choose Application permissions:

...

 

J. In the list of permissions, select Calendars.ReadWrite: and then click Add permissions:

...

 

K. Click on Grant admin consent for your company:

...

 

L. Once accepted, it should appear as follows:

...

 

M. Click on Certificates & secrets:

...

 

N. Click on + New client secret:

...

 

O. Specify the desired expiry date. When the secret expires, you'll need to renew it and update it in the ROOMZ Portal. Currently, the longest possible period is 2 years (even when selecting the "Custom" option). We recommend setting the expiry to 24 months.

...

P. Here you will find the Client Secret. This information will be required for the connector, you should copy it for example in your Notepad. It is important that you copy the Value of the client secret, and not the Secret ID

...

Q. When you click on "Overview" now, you will find the Application (client) ID and the Directory (tenant) ID. These two values will also be required for the connector, so please copy them too.

...

The registration of the ROOMZ application is done.

...

3️⃣ Limit access to meeting rooms only

With the previous configuration, the application is permitted to access the agenda of all resources and users within the organization.

...

The following commands have to be executed using Exchange Online PowerShell with admin rights. Once executed, it might take up to 15 minutes before being effective.

A. Execute the following command and connect to your Microsoft365 using an admin account.

...

Expand
titleTo resolve errors related to the 'Connect-ExchangeOnline' command

Install or start Exchange Online PowerShell Module. You can install the Module directly in the PowerShell on your Computer:

  1. Update your PowerShell to the latest version by using the following commands:

    Code Block
    winget install --id Microsoft.Powershell --source winget

    Please note that if you had PowerShell V5 before, the new PowerShell V7 will be a new app on your PC, we recommend to use the version 7.x.

  2. Now you can install the Module by the following commands:

    Code Block
    Install-Module -Name ExchangeOnlineManagement

    If you get an error message like the following, you have to allow PowerShell to run scripts:

    Code Block
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine

    After the installation, we recommend to set the policy again to “restricted”:

    Code Block
    Set-ExecutionPolicy -ExecutionPolicy restricted -Scope LocalMachine

  3. You need to import the module :

    Code Block
    Import-Module ExchangeOnlineManagement

B. Create a Mail-enabled security group with the following command. Here the name of the group is RoomzResources. You have to replace the PrimarySmtpAddress with a valid domain name.

Code Block
New-DistributionGroup -Name RoomzResources -Alias RoomzResources -PrimarySmtpAddress RoomzResources@myorganization.com -Type security

C. Fill this group with the necessary rooms. Don't forget to change the name "RoomzResources" if you have used a different name, and replace my-room by the identifier of your meeting room :

...

Code Block
Get-Mailbox| where {$_.RecipientTypeDetails -eq "RoomMailbox"} | foreach {Add-DistributionGroupMember -Identity RoomzResources -Member $_.UserPrincipalName}

D. Apply an application access policy with the following command. Replace the myAppId with the Application (client) ID from the previous section. Replace RoomzResources with the name of the group you created.

Code Block
New-ApplicationAccessPolicy -AppId myAppId -PolicyScopeGroupId RoomzResources -AccessRight RestrictAccess -Description "Restricted ROOMZ Access"

E. In order to reduce the propagation time required by Microsoft Azure, this command can accelerate the process:

...

 The application is now restricted to access only the agenda of the group RoomzResources, which contains only meeting rooms needed. If you create new meeting rooms, please re-execute the command at point 5️⃣ .

...

4️⃣ Meeting Title & Private Flag

By default, when a user is sending an invitation for reserving a meeting room, Exchange will only store the name of the organizer in the agenda of the meeting room. The meeting's title and the private flag are not stored.

...

When a meeting is private, the display will show the information as follows:

...

5️⃣ Add a new resource to the Mail enabled security group

You can add the new room using PowerShell commands with the ExchangeOnline Module in PowerShell (2.1) or by using the graphical interface in the M365 Admin Center (2.2).

...

Code Block
Add-DistributionGroupMember -Identity "RoomzResources" -Member myROOM

Graphical user interface

  • Login to the Admin Portal of M365 and browse to “active teams and groups” :

  • Select Mail-enabled security and sear for ROOMZ Ressources, click on Members and View all and manage members:

  • You can now click to add members and search for your new resources and add them to the group. (it could take up to 24h until the resource in the ROOMZ Portal is green)