Skip to main content

 

Eptura Knowledge Center

Control access to calendars

  1. Last updated
  2. Save as PDF

RBAC for Applications in Exchange Online allows admins to grant permissions to an application that's independently accessing data in Exchange Online. This grant can be paired with a scope of access (resource scope) to specify which mailboxes an app can access. 

Learn morehttps://learn.microsoft.com/en-us/exchange/permissions-exo/application-rba

How to implement RBAC for Applications for Exchange Sync

Condeco's Exchange Sync uses Role Based Access Control (RBAC) for Applications to create and manage events in Microsoft Exchange resource calendars. Follow the steps to control access to resource calendars with RBAC for Applications.

Steps
  1. Grant admin consent
  2. Verify token provider app registration and copy IDs 
  3. Connect to Exchange Online 
  4. Create a service principal for the registered app
  5. Create distribution groups to manage roles
  6. RBAC access to room mailboxes 
  7. RBAC accessibility to Service account user
  8. Create new management role assignment and assign distribution group members
  9. Post deployment step: Test Service Principal Access for service account user
Step 1: Grant admin consent

Admin consent must be provided before executing the Powershell commands described below. To grant admin consent:

  1. Start the Token app with the appropriate URL:
    1. For a Production/Pilot environment, use https://condecotokenapp.condecosoftware.com
    2. For a UAT/Trial environment, use https://condecouattokenapp.condecosoftware.com
  2. Click Grant Admin Consent.
    rbac 01.png
  3. Enter your Microsoft 365 admin account credentials to open the 'Permissions requested' popup window. Review the requested permissions and click Accept to continue.
    rbac 02.png
    Learn more: https://learn.microsoft.com/en-us/ex...lication-roles
Step 2: Verify token provider app registration and copy IDs
  1. Open Microsoft Azure portal and navigate to 'Enterprise applications' to verify the token provider app is registered.
  2. Copy the Application ID and Object ID values as you will need them later.
    rbac 03.png
Step 3: Connect to Exchange Online

Open Windows PowerShell and execute the following to connect to Exchange Online:

Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline
Step 4: Create a service principal for the registered app

In the following PowerShell script, replace the variables within the quotation marks ( " ) with the Application ID and Object ID you copied in Step 2, and a display name for the service principal, then execute the command:

New-ServicePrincipal -AppId "<Application ID>" -ObjectId "<Object ID>" -DisplayName "<name>"

Example: New-ServicePrincipal -AppId "5d123456-2345-41cd-a2c3-d671a3162bc1" -ObjectId "f8d98a96-2345-41cd-a2c3-69971c7bb423" -DisplayName "TestServicePrincipal"

Step 5: Create distribution groups to manage roles

Avoid assigning roles directly to users and assign roles to groups instead. As well as being easier to manage, this helps to minimize the number of role assignments, which are limited per subscription. Learn morehttps://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-rbac-limits

Two distribution groups are required:

  • Room List distribution group: Contains all Exchange rooms mailboxes that you want to access through the service principal. This must be a Room List distribution group type.
  • Security distribution group: Contains the users that have access to the service principal. 

Distribution groups already exist? If your Room and Security distribution lists already exist, jump to the next step.

Run the following two PowerShell commands to create the distribution groups. Replace the variables within the quotation marks ( " ) appropriately.

  1. Create a Room List distribution group:
New-DistributionGroup -Name <name> -DisplayName "<DisplayName of room Distribution group>" –PrimarySmtpAddress "<Distribution group mailbox>" –RoomList

Example: New-DistributionGroup -Name TestRoomDistGroup -DisplayName "Test Room Dist group" –PrimarySmtpAddress TestRoomDistGroup@abc.xyz.com –RoomList

  1. Create a Security distribution group:
New-DistributionGroup -Name <name> -DisplayName "<DisplayName of user Distribution group>" –PrimarySmtpAddress "<Distribution user group mailbox>" –Type "Security"

Example: New-DistributionGroup -Name TestUserDistGroup -DisplayName "Test User Dist group" –PrimarySmtpAddress TestUserDistGroup@abc.xyz.com -Type "Security"

Step 6: RBAC access to room mailboxes

For the Room List distribution group for room mailboxes, replace the variables within the quotation marks ( " ) appropriately then run the following PowerShell command for each mailbox:

Add-DistributionGroupMember -Identity "<room Distribution group mailbox>" -Member "<member mailbox>"

Example: Add-DistributionGroupMember -Identity "TestRoomDistGroup@abc.xyz.com" -Member "TestRoom1@abc.xyz.com"

We suggest verifying the successful addition of one or two mailboxes to the distribution group using the script, before adding the remaining mailboxes.

Step 7: RBAC accessibility to Service account user

For the Security distribution group for group members, replace the variables within the quotation marks ( " ) appropriately then run the following PowerShell command:

Add-DistributionGroupMember -Identity "<user Distribution group mailbox>" -Member "<member mailbox>"

Example: Add-DistributionGroupMember -Identity "TestUserDistGroup@abc.xyz.com" -Member "TestUser1@abc.xyz.com"

Step 8: Create new management role assignment and assign distribution group members

In the following PowerShell script, replace the variables within the quotation marks ( " ) with the Application IDObject ID, or display name for the service principal and the Application IDObject IDdisplay name, or email address for the security distribution group, then execute the command to create a new management role assignment and add scope for the security distribution group.

New-ManagementRoleAssignment [[-Name] <String>] -App "<ObjectID, AppID, or DisplayName>" -Role "Application EWS.AccessAsApp" -RecipientGroupScope "<ObjectId, DisplayName, or email address of user Distribution group>"

Example: New-ManagementRoleAssignment -Name TestMgmtRole -App "5d123456-2345-41cd-a2c3-d671a3162bc1" -Role "Application EWS.AccessAsApp" -RecipientGroupScope "TestUserDistGroup@abc.xyz.com"

Step 9: Post deployment step: Test Service Principal Access for service account user

Run the following PowerShell command to test the service principal access for the service account user. Replace the variables within the quotation marks ( " ) with the Application ID you copied in Step 2 and the email address of the security distribution group.

Test-ServicePrincipalAuthorization -Identity "<Application ID in AAD>" -Resource "<ResourceMailboxAddress>" | Format-Table

Example: Test-ServicePrincipalAuthorization -Identity "5d123456-0999-41cd-a2c3-d671a3162bc1" -Resource "TestUser1@abc.xyz.com" | Format-Table

Good to know

  • Any changes to the already created management role assignments, i.e. adding a new mailbox to the distribution group, can take up to 2 hours to reflect the token generation for that mailbox.

  • If no custom scope is provided when creating the management role assignment, the token generated via such an app works for the whole tenant.

Exchange Sync home