Microsoft 365 (Application Permission Security group)
- Christoph Witzemann
- Amar Zerig
- Marcel Peschka
Content
Overview
Application Permission are used to connect a 3rd party application to M365. In this guide, we will show you how you can register the application and give the rights to access the agendas of the meeting rooms. For the connection between the Roomz portal and the application, you will need the client secret, the application ID, and the tenant ID. These details can be obtained by following the guide.
Securing with Mail Enabled Security Groups
To ensure security and prevent the application from accessing all calendars, we use Mail Enabled Security Groups. These groups restrict the application's access to only the necessary calendars. It is crucial to follow the guide carefully to configure these groups correctly, ensuring that permissions are properly set and that the application does not compromise the privacy of other calendars.
By carefully following this guide, you will ensure a secure and efficient integration of the Microsoft calendars with ROOMZ while maintaining strict control over access to sensitive data.
Register the ROOMZ Application
The first step involves creating a ROOMZ application on Microsoft Azure to enable access to the agendas.
A. Open Microsoft Azure Portal and log in with an administrator account.
B. Once logged, search for Azure Active Directory:
C. On the left panel, search for App registrations:
D. Click on + New registration:
E. Specify the name of the application (e.g. ROOMZGraph) and the first option Account in this organizational directory only
F. Click on API permissions:
G. If you already have a permission, you can remove it.
H. Then click on + Add a permission, and select Microsoft Graph:
I. Choose Application permissions:
J. In the list of permissions, select Calendars.ReadWrite: and then click Add permissions:
K. Click on Grant admin consent for your company:
L. Once accepted, it should appear as follows:
M. Click on Certificates & secrets:
N. Click on + New client secret:
O. Specify the desired expiry date. When the secret expires, you'll need to renew it and update it in the ROOMZ Portal. Currently, the longest possible period is 2 years (even when selecting the "Custom" option). We recommend setting the expiry to 24 months.
P. Here you will find the Client Secret. This information will be required for the connector, you should copy it for example in your Notepad. It is important that you copy the Value of the client secret, and not the Secret ID
Q. When you click on "Overview" now, you will find the Application (client) ID and the Directory (tenant) ID. These two values will also be required for the connector, so please copy them too.
The registration of the ROOMZ application is done.
Limit access to meeting rooms only
With the previous configuration, the application is permitted to access the agenda of all resources and users within the organization.
However, ROOMZ only requires access to the agenda of specific meeting rooms. Therefore, we recommend executing the following PowerShell commands to restrict access accordingly.
The following commands have to be executed using Exchange Online PowerShell with admin rights. Once executed, it might take up to 15 minutes before being effective.
A. Execute the following command and connect to your Microsoft365 using an admin account.
Connect-ExchangeOnline |
If you encounter an error while executing the above command, please click below this message and follow the instructions.
B. Create a Mail-enabled security group with the following command. Here the name of the group is RoomzResources. You have to replace the PrimarySmtpAddress with a valid domain name.
C. Fill this group with the necessary rooms. Don't forget to change the name "RoomzResources" if you have used a different name, and replace my-room by the identifier of your meeting room :
You can also add all meeting rooms at once. Don't forget to change the name "RoomzResources" if you have used a different name :
D. Apply an application access policy with the following command. Replace the myAppId with the Application (client) ID from the previous section. Replace RoomzResources with the name of the group you created.
E. In order to reduce the propagation time required by Microsoft Azure, this command can accelerate the process:
The application is now restricted to access only the agenda of the group RoomzResources, which contains only meeting rooms needed. If you create new meeting rooms, you can add the rooms directly in graphical mode by following point below..
Add a new resource to the Mail enabled security group
You can skip the point if you are configuring the application for the first time. Point 4 allows you to add new resources to the previously created group.
You can add the new room using PowerShell commands with the ExchangeOnline Module in PowerShell (2.1) or by using the graphical interface in the M365 Admin Center (2.2).
Execute the following command to connect to your Microsoft 365 account using an admin account.
You have to execute the following command and replace my-room by the identifier of your meeting room. Don't forget to change the name RoomzResources if you used a different name:
Graphical user interface
Login to the Admin Portal of M365 and browse to “active teams and groups” :
Select Mail-enabled security and sear for ROOMZ Ressources, click on Members and View all and manage members:
You can now click to add members and search for your new resources and add them to the group. (it could take up to 24h until the resource in the ROOMZ Portal is green)
Meeting Title & Private Flag
By default, when a user is sending an invitation for reserving a meeting room, Exchange will only store the name of the organizer in the agenda of the meeting room. The meeting's title and the private flag are not stored.
This is the result you will get on a ROOMZ Display, if no setup is changed:
If you want to show the meeting title, the following PowerShell command has to be executed for each room. When the meeting is considered as 'private', the title of the meeting will be replaced by 'Reserved' on the ROOMZ Display.
(Adapt the parameter "myRoom@myorganization.fr" to the email address of the desired meeting room)
The following command allows applying the parameter to all rooms :
The title of the upcoming meetings will then be shown:
When a meeting is private, the display will show the information as follows:
Create the booking system in the ROOMZ Portal
Once your booking system is ready, it's time to add it to your ROOMZ Portal. Click on Add Booking System and choose your connector
Give your connector a Friendly Name, and fill all the required information. You can then click Save
Find out more about the "Show image in attachments" option : Microsoft Exchange: Show images - ROOMZ Support - Wiki (atlassian.net)
If you are using Microsoft 365 you can enable the option Instant booking with online meeting. If activated, an instant reservation from the ROOMZ display will create a Microsoft Teams Online meeting.
Click on Add Resource and fill in the Name of the Resource, and the Resource ID (very often, its email address).
You can click Test all and check the correct setup of your connector.
Everything’s green ? Great !
Something’s not working ? Just click on the Status Indicator to know more about the error
In case of an error, you can easily Edit your Resource and test the connectivity again
Once all the tests are OK you can move on to the next step !
Next step