Condeco's Exchange Sync uses Role Based Access Control (RBAC) for Applications to create and manage events in Microsoft Exchange resource calendars. Follow the steps to control access to resource calendars with RBAC for Applications.
Step 2: Verify token provider app registration and copy IDs
- Open Microsoft Azure portal and navigate to 'Enterprise applications' to verify the token provider app is registered.
- Copy the Application ID and Object ID values as you will need them later.

Step 3: Connect to Exchange Online
Open Windows PowerShell and execute the following to connect to Exchange Online:
Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline
Step 4: Create a service principal for the registered app
In the following PowerShell script, replace the variables within the quotation marks ( " ) with the Application ID and Object ID you copied in Step 2, and a display name for the service principal, then execute the command:
New-ServicePrincipal -AppId "<Application ID>" -ObjectId "<Object ID>" -DisplayName "<name>"
Example: New-ServicePrincipal -AppId "5d123456-2345-41cd-a2c3-d671a3162bc1" -ObjectId "f8d98a96-2345-41cd-a2c3-69971c7bb423" -DisplayName "TestServicePrincipal"
Step 5: Create distribution groups to manage roles
Two distribution groups are required:
- Room List distribution group: Contains all Exchange rooms mailboxes that you want to access through the service principal. This must be a Room List distribution group type.
- Security distribution group: Contains the service account user that has access to the service principal.
Distribution groups already exist? If your Room and Security distribution lists already exist, jump to the next step.
Run the following two PowerShell commands to create the distribution groups. Replace the variables within the quotation marks ( " ) appropriately.
- Create a Room List distribution group:
New-DistributionGroup -Name <name> -DisplayName "<DisplayName of room Distribution group>" –PrimarySmtpAddress "<room Distribution group mailbox>" –RoomList
Example: New-DistributionGroup -Name TestRoomDistGroup -DisplayName "Test Room Dist group" –PrimarySmtpAddress TestRoomDistGroup@abc.xyz.com –RoomList
- Create a Security distribution group:
New-DistributionGroup -Name <name> -DisplayName "<DisplayName of security Distribution group>" –PrimarySmtpAddress "<security Distribution group mailbox>" –Type "Security"
Example: New-DistributionGroup -Name TestSecurityDistGroup -DisplayName "Test Security Dist group" –PrimarySmtpAddress TestSecurityDistGroup@abc.xyz.com -Type "Security"
Step 6: RBAC access to room mailboxes
For the Room List distribution group for room mailboxes, replace the variables within the quotation marks ( " ) appropriately then run the following PowerShell command for each mailbox:
Add-DistributionGroupMember -Identity "<room Distribution group mailbox>" -Member "<Exchange room mailbox>"
Example: Add-DistributionGroupMember -Identity "TestRoomDistGroup@abc.xyz.com" -Member "TestRoom1@abc.xyz.com"
We suggest verifying the successful addition of one or two mailboxes to the distribution group using the script, before adding the remaining mailboxes.
Step 7: RBAC accessibility to Service account user
For the Security distribution group for group members, replace the variables within the quotation marks ( " ) appropriately then run the following PowerShell command:
Add-DistributionGroupMember -Identity "<security Distribution group mailbox>" -Member "<service account mailbox>"
Example: Add-DistributionGroupMember -Identity "TestSecurityDistGroup@abc.xyz.com" -Member "ServiceAccount@abc.xyz.com"
You will need to provide the Service account mailbox details added here to Eptura Support at the end of the process.
Step 8: Create new management role assignment and assign distribution group members
In the following PowerShell script, replace the variables within the quotation marks ( " ) with the Application ID, Object ID, or display name for the service principal and the Application ID, Object ID, display name, or email address for the security distribution group, then execute the command to create a new management role assignment and add scope for the security distribution group.
New-ManagementRoleAssignment [[-Name] <String>] -App "<ObjectID, AppID, or DisplayName>" -Role "Application EWS.AccessAsApp" -RecipientGroupScope "<ObjectId, DisplayName, or email address of security Distribution group>"
Example: New-ManagementRoleAssignment -Name TestMgmtRole -App "5d123456-2345-41cd-a2c3-d671a3162bc1" -Role "Application EWS.AccessAsApp" -RecipientGroupScope "TestSecurityDistGroup@abc.xyz.com"
Step 9: Post deployment step: Test Service Principal Access for service account user
Run the following PowerShell command to test the service principal access for the service account user. Replace the variables within the quotation marks ( " ) with the Application ID you copied in Step 2 and the email address of the service account maibox.
Test-ServicePrincipalAuthorization -Identity "<Application ID in AAD>" -Resource "<ServiceAccountMailboxAddress>" | Format-Table
Example: Test-ServicePrincipalAuthorization -Identity "5d123456-0999-41cd-a2c3-d671a3162bc1" -Resource "ServiceAccount@abc.xyz.com" | Format-Table
Step 10: Notify Eptura Support
Contact Eptura Support to confirm the changes are complete and provide details of the Service account mailbox added in Step 7.