Content
Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Introduction
Microsoft announced that Exchange Online (Office 365) - EWS will not be available anymore starting October 13th, 2020.
The Microsoft's recommendation is now to use Microsoft Graph. For Exchange On-Premise, EWS will stay the solution to use.
This documentation describes the steps required in order get ROOMZ access to the agenda of the meeting rooms using Microsoft Graph.
1️⃣ Overview
Application Permission are used to connect a 3rd party application to M365. We had in the past a documentation with giving the API full access (read & write) to all agendas (User and resources) and limited then the access by using a Mail-enabled security group. If you have this in place, and you had added a new resource the new resource in the ROOMZ Poral will be red, you will find the command under this page. But we recommand to use the new way (Role-Based Access Control (RBAC)) documented in this page, you will never need to add a command if you create a new resource, all will be updated from Microsoft. Another benefit of the current way is that the API himself has no Permission to all calendars, only to the scope created and contain all meeting room resources.
2️⃣ Register the ROOMZ Application
The first step consists of creating a ROOMZ application on Microsoft Azure in order to provide the access to the agendas.
a. Open Microsoft Azure Portal and log in with an administrator account.
b. Once logged, search for
...
Microsoft Entra ID:
...
c. On the left panel, search for App registrations:
...
d. Click on + New registration:
...
e. Specify the name of the application (e.g. ROOMZGraph) and the first option Account in this organizational directory only
...
f. Click on API permissions:
...
g. Should you have already a permission, you can remove it:
...
Then click on + Add a permission, and select Microsoft Graph:
...
...
Chose Application permissions:
...
...
In the list of permissions, select Calendars.ReadWrite: and then click Add permissions:
...
...
Click on Grant admin consent for your company:
...
...
Once accepted, it should look like the following:
...
h. Click on Certificates & secrets:
...
i. Click on + New client secret:
...
...
j. Define the wished expiry date. When the secret expires, you will have to renew it and adapt it in the ROOMZ Portal. Today, the longest possible period is 2 years (even when choosing the "Custom" option). We recommend defining the expiry to 24 months:
...
Info |
---|
In graphical mode, you are limited to a maximum of 2 years, as per Microsoft's recommendation. You can use the following command line to extend beyond 2 years (You need to modify the values in bold): New-AzureADApplicationPasswordCredential -ObjectId YourObjectID -CustomKeyIdentifier Roomz -Value $secret -StartDate (Get-Date) -EndDate (Get-Date).AddYears(5) |
k. Here you will find the Client Secret. This information will be required for the connector, you should copy it for example in your Notepad. It is important that you copy the Value of the client secret, and not the Secret ID
...
Info |
---|
Here is how you can renew the client secret: https://roomzio.atlassian.net/wiki/spaces/SUP/pages/429850625/Booking+System#How-to-renew-the-client-secret |
l. When clicking now on Overview, you will find the Application (client) ID and the Directory (tenant) ID. The 2 values will also be required for the connector, please copy them too
...
...
The registration of the ROOMZ application is done.
...
3️⃣ Give the Application permission access to
...
the meetingrooms
With the previous configuration made before, the application is allowed to access the agenda of all resources and users of the organization.
ROOMZ only requires to have access to the agenda of the meeting rooms. For this reason, we recommend to execute the following PowerShell commands in order to restrict the access.
Tip |
---|
Hint: the following connection with the Exchange Admin Center must be executed using Edge or Internet Explorer |
...
Install or start Exchange Online PowerShell Module. You can download it from the Exchange admin Center.
Once logged in, scroll down to Hybrid.
(Should you have any issue when downloading this file with Google Chrome, please try with Edge).
...
API has no access rights. We now need to give the API access to the meeting rooms.
The following commands have to be executed using Exchange Online PowerShell with admin rights. Once executed, it might take up to 15 minutes before being effective.
a. Execute the following command and connect to your
...
Microsoft365 using an admin account.
Code Block |
---|
...
language | powershell |
---|
...
Connect-EXOPSSession
Create a Mail-enabled security group with the following command. Here the name of the group is RoomzResources. You have to replace the PrimarySmtpAddress with a valid domain name.
Code Block |
---|
New-DistributionGroup -Name RoomzResources -Alias RoomzResources -PrimarySmtpAddress RoomzResources@myorganization.com -Type security |
Fill this group with all room mailboxes. Don't forget to change the name of RoomzResources should you have used another name:
...
Connect-ExchangeOnline |
Note |
---|
If you encounter an error while executing the above command, please click below this message and follow the instructions. |
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
Install or start Exchange Online PowerShell Module. You can install the Module directly in the PowerShell on your Computer:
|
b. Enable organization customization, if it is already enabled you will get an error message.
Code Block |
---|
Enable-OrganizationCustomization |
c. Create a new management scope containing all the meeting rooms, replace “RoomzRessources” if you want a different name for the scope:
Code Block |
---|
New-ManagementScope -Name "RoomzResources" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox"} |
...
d.1 Create a Service Principal for the API. Replace myAppID with Application (client) ID and myObjectID with the Object ID of the Enterprise application:
Note |
---|
Please be aware that the Object ID in the Enterprise application is not the same then in the App Registration! |
On the overview page of the app registration, click on “Managed application in…” to get to the Enterprise application.
...
d.2 Create the Service Principal
Code Block |
---|
New-ServicePrincipal -AppId myappId -ServiceId myObjectId -DisplayName "ROOMZ ServicePrincipal" |
e. Allow the Application the access to the scope created above. Replace the myAppId with the Application (client) ID
...
. Replace RoomzResources with the name of the
...
scope you created.
Code Block |
---|
New- |
...
ManagementRoleAssignment - |
...
App myappId - |
...
Role |
...
In order to reduce the propagation time required by Microsoft Azure, this command can accelerate the process:
Code Block | ||
---|---|---|
| ||
Update-DistributionGroupMember RoomzResources |
...
Thanks to this, the application is now restricted to access only the agenda of the group RoomzResources, containing only meeting rooms. Should you create new meeting rooms, please re-execute the command on point 4.
"Application Calendars.ReadWrite" -CustomResourceScope "RoomzResources" |
f. The configuration of the Booking System is now done, please have a look to the next section. To be able to show meeting Title on the ROOMZ Displays.
...
4️⃣ Meeting Title & Private Flag
By default, when a user is sending an invitation for reserving a meeting room, Exchange will only store the name of the organizer in the agenda of the meeting room. The meeting's title and the private flag are not stored.
...
If you want to show the meeting title, the following PowerShell command has to be executed for each room. When the meeting is considered as 'private', the title of the meeting will be replaced by 'Reserved' on the ROOMZ Display. NOTE : Once executed, this command will only be effective for the new meetings. When new meeting rooms are created, this command has to be executed again.
(Adapt the parameter "myRoom@myorganization.fr" to the email address of the desired meeting room)
Code Block | ||
---|---|---|
| ||
Set-CalendarProcessing -Identity "myRoom@myorganization.fr"-AddOrganizerToSubject $false -DeleteSubject $false -RemovePrivateProperty $false |
The following command allows applying the parameter to all rooms :
|
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
Once executed, this command will only be effective for the new meetings. When new meeting rooms are created, this command has to be executed again. |
...
The title of the future upcoming meetings will then be correctly shown on the device:
...
When a meeting is private, the display will show the information as follows :
...