RBAC for Applications in Exchange Online
Microsoft is ending support for Role Based Access Control (RBAC) for Application Impersonation in Exchange Online. Condeco Exchange Sync customers still using this old technology must now implement RBAC for Applications in Exchange Online, which does not use the Application Impersonation role.
Why this matters
Condeco Exchange Sync used RBAC for Application Impersonation to create and manage calendar events in Microsoft Exchange resource calendars using Exchange Web Services (EWS). Moving to RBAC for Applications allows Exchange Sync to continue to access these calendars when Microsoft removes support for RBAC for Application Impersonation.
More information at Microsoft:
- https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-rbac-application-impersonation-in-exchange-online/ba-p/4062671
- https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rba
Condeco Microsoft 365 integration (Smart Calendar) customers are unaffected by this change.
How to move Exchange Sync service to RBAC for Applications
Condeco's Exchange Sync uses Role Based Access Control (RBAC) for Applications to create and manage events in Microsoft Exchange resource calendars. Follow the steps to control access to resource calendars with RBAC for Applications.
Steps
- Grant admin consent
- Verify token provider app registration and copy IDs
- Connect to Exchange Online
- Create a service principal for the registered app
- Create distribution groups to manage roles
- RBAC access to room mailboxes
- RBAC accessibility to Service account user
- Create new management role assignment and assign distribution group members
- Post deployment step: Test Service Principal Access for service account user
- Notify Eptura Support
See also: Good to know
Step 1: Grant admin consent
Admin consent must be provided before executing the Powershell commands described below. To grant admin consent:
- Start the Token app with the appropriate URL:
- For a Production/Pilot environment, use https://condecotokenapp.condecosoftware.com
- For a UAT/Trial environment, use https://condecouattokenapp.condecosoftware.com
- Click Grant Admin Consent.
- Enter your Microsoft 365 admin account credentials to open the 'Permissions requested' popup window. Review the requested permissions and click Accept to continue.
Learn more: https://learn.microsoft.com/en-us/ex...lication-roles
Step 2: Verify token provider app registration and copy IDs
- Open Microsoft Azure portal and navigate to 'Enterprise applications' to verify the token provider app is registered.
- Copy the Application ID and Object ID values as you will need them later.
Step 3: Connect to Exchange Online
Open Windows PowerShell and execute the following to connect to Exchange Online:
Install-Module -Name ExchangeOnlineManagement Connect-ExchangeOnline
Step 4: Create a service principal for the registered app
In the following PowerShell script, replace the variables within the quotation marks ( " ) with the Application ID and Object ID you copied in Step 2, and a display name for the service principal, then execute the command:
New-ServicePrincipal -AppId "<Application ID>" -ObjectId "<Object ID>" -DisplayName "<name>"
Example: New-ServicePrincipal -AppId "5d123456-2345-41cd-a2c3-d671a3162bc1" -ObjectId "f8d98a96-2345-41cd-a2c3-69971c7bb423" -DisplayName "TestServicePrincipal"
Step 5: Create distribution groups to manage roles
Avoid assigning roles directly to users and assign roles to groups instead. As well as being easier to manage, this helps to minimize the number of role assignments, which are limited per subscription. Learn more: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-rbac-limits
Two distribution groups are required:
- Room List distribution group: Contains all Exchange rooms mailboxes that you want to access through the service principal. This must be a Room List distribution group type.
- Security distribution group: Contains the service account user that has access to the service principal.
Distribution groups already exist? If your Room and Security distribution lists already exist, jump to the next step.
Run the following two PowerShell commands to create the distribution groups. Replace the variables within the quotation marks ( " ) appropriately.
- Create a Room List distribution group:
New-DistributionGroup -Name <name> -DisplayName "<DisplayName of room Distribution group>" –PrimarySmtpAddress "<room Distribution group mailbox>" –RoomList
Example: New-DistributionGroup -Name TestRoomDistGroup -DisplayName "Test Room Dist group" –PrimarySmtpAddress TestRoomDistGroup@abc.xyz.com –RoomList
- Create a Security distribution group:
New-DistributionGroup -Name <name> -DisplayName "<DisplayName of security Distribution group>" –PrimarySmtpAddress "<security Distribution group mailbox>" –Type "Security"
Example: New-DistributionGroup -Name TestSecurityDistGroup -DisplayName "Test Security Dist group" –PrimarySmtpAddress TestSecurityDistGroup@abc.xyz.com -Type "Security"
Step 6: RBAC access to room mailboxes
For the Room List distribution group for room mailboxes, replace the variables within the quotation marks ( " ) appropriately then run the following PowerShell command for each mailbox:
Add-DistributionGroupMember -Identity "<room Distribution group mailbox>" -Member "<Exchange room mailbox>"
Example: Add-DistributionGroupMember -Identity "TestRoomDistGroup@abc.xyz.com" -Member "TestRoom1@abc.xyz.com"
We suggest verifying the successful addition of one or two mailboxes to the distribution group using the script, before adding the remaining mailboxes.
Step 7: RBAC accessibility to Service account user
For the Security distribution group for group members, replace the variables within the quotation marks ( " ) appropriately then run the following PowerShell command:
Add-DistributionGroupMember -Identity "<security Distribution group mailbox>" -Member "<service account mailbox>"
Example: Add-DistributionGroupMember -Identity "TestSecurityDistGroup@abc.xyz.com" -Member "ServiceAccount@abc.xyz.com"
You will need to provide the Service account mailbox details added here to Eptura Support at the end of the process.
Step 8: Create new management role assignment and assign distribution group members
In the following PowerShell script, replace the variables within the quotation marks ( " ) with the Application ID, Object ID, or display name for the service principal and the Application ID, Object ID, display name, or email address for the security distribution group, then execute the command to create a new management role assignment and add scope for the security distribution group.
New-ManagementRoleAssignment [[-Name] <String>] -App "<ObjectID, AppID, or DisplayName>" -Role "Application EWS.AccessAsApp" -RecipientGroupScope "<ObjectId, DisplayName, or email address of security Distribution group>"
Example: New-ManagementRoleAssignment -Name TestMgmtRole -App "5d123456-2345-41cd-a2c3-d671a3162bc1" -Role "Application EWS.AccessAsApp" -RecipientGroupScope "TestSecurityDistGroup@abc.xyz.com"
Step 9: Post deployment step: Test Service Principal Access for service account user
Run the following PowerShell command to test the service principal access for the service account user. Replace the variables within the quotation marks ( " ) with the Application ID you copied in Step 2 and the email address of the service account maibox.
Test-ServicePrincipalAuthorization -Identity "<Application ID in AAD>" -Resource "<ServiceAccountMailboxAddress>" | Format-Table
Example: Test-ServicePrincipalAuthorization -Identity "5d123456-0999-41cd-a2c3-d671a3162bc1" -Resource "ServiceAccount@abc.xyz.com" | Format-Table
Step 10: Notify Eptura Support
Contact Eptura Support to confirm the changes are complete and provide details of the Service account mailbox added in Step 7.
Good to know