Microsoft 365 (Application Permission RBAC)
- Christoph Witzemann
- Patrick Terreaux (Unlicensed)
- Amar Zerig
Content
Overview
Application Permission are used to connect a 3rd party application to M365. With the RBAC way (Role-Based Access Control) documented in this page, you will never need to add a command if you create a new resource, all will be updated from Microsoft. Another benefit of the current way is that the API himself has no Permission to all calendars, only to the scope created and contain all meeting room resources. For the connection between the Roomz portal and the application, you will need the client secret, the application ID, and the tenant ID. These details can be obtained by following the guide.
Register the ROOMZ Application
The first step consists of creating a ROOMZ application on Microsoft Azure in order to provide the access to the agendas.
a. Open Microsoft Azure Portal and log in with an administrator account.
b. Once logged, search for Microsoft Entra ID:
c. On the left panel, search for App registrations:
d. Click on + New registration:
e. Specify the name of the application (e.g. ROOMZGraph) and the first option Account in this organizational directory only
f. Click on API permissions:
g. Should you have already a permission, you can remove it:
h. Click on Certificates & secrets:
i. Click on + New client secret:
j. Define the wished expiry date. When the secret expires, you will have to renew it and adapt it in the ROOMZ Portal. Today, the longest possible period is 2 years (even when choosing the "Custom" option). We recommend defining the expiry to 24 months:
In graphical mode, you are limited to a maximum of 2 years, as per Microsoft's recommendation. You can use the following command line to extend beyond 2 years (You need to modify the values in bold):
New-AzureADApplicationPasswordCredential -ObjectId YourObjectID -CustomKeyIdentifier Roomz -Value $secret -StartDate (Get-Date) -EndDate (Get-Date).AddYears(5)
k. Here you will find the Client Secret. This information will be required for the connector, you should copy it for example in your Notepad. It is important that you copy the Value of the client secret, and not the Secret ID
Here is how you can renew the client secret: https://roomzio.atlassian.net/wiki/spaces/SUP/pages/429850625/Booking+System#How-to-renew-the-client-secret
l. When clicking now on Overview, you will find the Application (client) ID and the Directory (tenant) ID. The 2 values will also be required for the connector, please copy them too
The registration of the ROOMZ application is done.
Give the Application permission access to the meetingrooms
With the configuration made before, the API has no access rights. We now need to give the API access to the meeting rooms.
The following commands have to be executed using Exchange Online PowerShell with admin rights. Once executed, it might take up to 15 minutes before being effective.
a. Execute the following command and connect to your Microsoft365 using an admin account.
Connect-ExchangeOnlineIf you encounter an error while executing the above command, please click below this message and follow the instructions.
b. Enable organization customization, if it is already enabled you will get an error message.
c. Create a new management scope containing all the meeting rooms, replace “RoomzRessources” if you want a different name for the scope. Please keep in mind the scope will have access to all the room mailboxes in your enterprise, if you prefer to select specific rooms don’t hesitate to do it like…
d.1 Create a Service Principal for the API. Replace myAppID with Application (client) ID and myObjectID with the Object ID of the Enterprise application:
On the overview page of the app registration, click on “Managed application in…” to get to the Enterprise application.
d.2 Create the Service Principal
e. Allow the Application the access to the scope created above. Replace the myAppId with the Application (client) ID . Replace RoomzResources with the name of the scope you created.
f. The configuration of the Booking System is now done, please have a look to the next section. To be able to show meeting Title on the ROOMZ Displays.
Meeting Title & Private Flag
By default, when a user is sending an invitation for reserving a meeting room, Exchange will only store the name of the organizer in the agenda of the meeting room. The meeting's title and the private flag are not stored.
This is the result you will get on a ROOMZ Display, if no setup is changed:
If you want to show the meeting title, the following PowerShell command has to be executed for each room. When the meeting is considered as 'private', the title of the meeting will be replaced by 'Reserved' on the ROOMZ Display.
(Adapt the parameter "myRoom@myorganization.fr" to the email address of the desired meeting room)
The following command allows applying the parameter to all rooms :
The title of the upcoming meetings will then be shown:
When a meeting is private, the display will show the information as follows :
Create the booking system in the ROOMZ Portal
Once your booking system is ready, it's time to add it to your ROOMZ Portal. Click on Add Booking System and choose your connector
Give your connector a Friendly Name, and fill all the required information. You can then click Save
Find out more about the "Show image in attachments" option : Microsoft Exchange: Show images - ROOMZ Support - Wiki (atlassian.net)
If you are using Microsoft 365 you can enable the option Instant booking with online meeting. If activated, an instant reservation from the ROOMZ display will create a Microsoft Teams Online meeting.
Click on Add Resource and fill in the Name of the Resource, and the Resource ID (very often, its email address).
You can click Test all and check the correct setup of your connector.
Everything’s green ? Great !
Something’s not working ? Just click on the Status Indicator to know more about the error
In case of an error, you can easily Edit your Resource and test the connectivity again
Once all the tests are OK you can move on to the next step !
Next step