Microsoft 365 (Application Permission RBAC)

Content

Overview

Application Permission are used to connect a 3rd party application to M365. With the RBAC way (Role-Based Access Control) documented in this page, you will never need to add a command if you create a new resource, all will be updated from Microsoft. Another benefit of the current way is that the API himself has no Permission to all calendars, only to the scope created and contain all meeting room resources. For the connection between the Roomz portal and the application, you will need the client secret, the application ID, and the tenant ID. These details can be obtained by following the guide.

Register the ROOMZ Application

The first step consists of creating a ROOMZ application on Microsoft Azure in order to provide the access to the agendas.

a. Open Microsoft Azure Portal and log in with an administrator account.

b. Once logged, search for Microsoft Entra ID:

 

c. On the left panel, search for App registrations:

 

d. Click on + New registration:

 

e. Specify the name of the application (e.g. ROOMZGraph) and the first option Account in this organizational directory only

 

f. Click on API permissions:

 

g. Should you have already a permission, you can remove it:

 

h. Click on Certificates & secrets:

 

i. Click on + New client secret:

 

j. Define the wished expiry date. When the secret expires, you will have to renew it and adapt it in the ROOMZ Portal. Today, the longest possible period is 2 years (even when choosing the "Custom" option). We recommend defining the expiry to 24 months:

In graphical mode, you are limited to a maximum of 2 years, as per Microsoft's recommendation. You can use the following command line to extend beyond 2 years (You need to modify the values in bold):

New-AzureADApplicationPasswordCredential -ObjectId YourObjectID -CustomKeyIdentifier Roomz -Value $secret -StartDate (Get-Date) -EndDate (Get-Date).AddYears(5)

k. Here you will find the Client Secret. This information will be required for the connector, you should copy it for example in your Notepad. It is important that you copy the Value of the client secret, and not the Secret ID

Here is how you can renew the client secret: https://roomzio.atlassian.net/wiki/spaces/SUP/pages/429850625/Booking+System#How-to-renew-the-client-secret

 

l. When clicking now on Overview, you will find the Application (client) ID and the Directory (tenant) ID. The 2 values will also be required for the connector, please copy them too

 

The registration of the ROOMZ application is done.


Give the Application permission access to the meetingrooms

With the configuration made before, the API has no access rights. We now need to give the API access to the meeting rooms.

The following commands have to be executed using Exchange Online PowerShell with admin rights. Once executed, it might take up to 15 minutes before being effective.

a. Execute the following command and connect to your Microsoft365 using an admin account.

Connect-ExchangeOnline

If you encounter an error while executing the above command, please click below this message and follow the instructions.

Install or start Exchange Online PowerShell Module. You can install the Module directly in the PowerShell on your Computer:

  1. Update your PowerShell to the latest version by using the following commands:

    winget install --id Microsoft.Powershell --source winget

    Please note that if you had PowerShell V5 before the new PowerShell V7 will be a new app on your PC, we recommend using the version 7.x.
    If you have troubles updating your PowerShell with the winget, please visit the following page of Microsoft and try another way: https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?WT.mc_id=THOMASMAURER-blog-thmaure&view=powershell-7.3#winget

  2. Now you can install the Module by the following commands:

    Install-Module -Name ExchangeOnlineManagement

    If you get an error message like the following, you have to allow PowerShell to run scripts:

    After the installation, we recommend to set the policy again to “restricted”:

  3. You need to import the module :

b. Enable organization customization, if it is already enabled you will get an error message.

c. Create a new management scope containing all the meeting rooms, replace “RoomzRessources” if you want a different name for the scope. Please keep in mind the scope will have access to all the room mailboxes in your enterprise, if you prefer to select specific rooms don’t hesitate to do it like…

d.1 Create a Service Principal for the API. Replace myAppID with Application (client) ID and myObjectID with the Object ID of the Enterprise application:

On the overview page of the app registration, click on “Managed application in…” to get to the Enterprise application.

d.2 Create the Service Principal

e. Allow the Application the access to the scope created above. Replace the myAppId with the Application (client) ID . Replace RoomzResources with the name of the scope you created.

 

f. The configuration of the Booking System is now done, please have a look to the next section. To be able to show meeting Title on the ROOMZ Displays.


Meeting Title & Private Flag

By default, when a user is sending an invitation for reserving a meeting room, Exchange will only store the name of the organizer in the agenda of the meeting room. The meeting's title and the private flag are not stored.

This is the result you will get on a ROOMZ Display, if no setup is changed: 

If you want to show the meeting title, the following PowerShell command has to be executed for each room. When the meeting is considered as 'private', the title of the meeting will be replaced by 'Reserved' on the ROOMZ Display. 

(Adapt the parameter "myRoom@myorganization.fr" to the email address of the desired meeting room)

The following command allows applying the parameter to all rooms :

The title of the upcoming meetings will then be shown:

When a meeting is private, the display will show the information as follows :