Condeco's Exchange Sync uses Role Based Access Control (RBAC) for Applications to create and manage events in Microsoft Exchange resource calendars. Follow the steps to control access to resource calendars with RBAC for Applications.
Step 2: Verify token provider app registration and copy IDs
- Open Microsoft Azure portal and navigate to 'Enterprise applications' to verify the token provider app is registered.
- Copy the Application ID and Object ID values as you will need them later.
Step 3: Connect to Exchange Online
Open Windows PowerShell and execute the following to connect to Exchange Online:
Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline
Step 4: Create a service principal for the registered app
In the following PowerShell script, replace the variables within the quotation marks ( " ) with the Application ID and Object ID you copied in Step 2, and a display name for the service principal, then execute the command:
New-ServicePrincipal -AppId "<Application ID>" -ObjectId "<Object ID>" -DisplayName "<name>"
Example: New-ServicePrincipal -AppId "5d123456-2345-41cd-a2c3-d671a3162bc1" -ObjectId "f8d98a96-2345-41cd-a2c3-69971c7bb423" -DisplayName "TestServicePrincipal"
Step 5: Create distribution groups to manage roles
Two distribution groups are required:
- Room List distribution group: Contains all Exchange rooms mailboxes that you want to access through the service principal. This must be a Room List distribution group type.
- Security distribution group: Contains the users that have access to the service principal.
Distribution groups already exist? If your Room and Security distribution lists already exist, jump to the next step.
Run the following two PowerShell commands to create the distribution groups. Replace the variables within the quotation marks ( " ) appropriately.
- Create a Room List distribution group:
New-DistributionGroup -Name <name> -DisplayName "<DisplayName of room Distribution group>" –PrimarySmtpAddress "<Distribution group mailbox>" –RoomList
Example: New-DistributionGroup -Name TestRoomDistGroup -DisplayName "Test Room Dist group" –PrimarySmtpAddress TestRoomDistGroup@abc.xyz.com –RoomList
- Create a Security distribution group:
New-DistributionGroup -Name <name> -DisplayName "<DisplayName of user Distribution group>" –PrimarySmtpAddress "<Distribution user group mailbox>" –Type "Security"
Example: New-DistributionGroup -Name TestUserDistGroup -DisplayName "Test User Dist group" –PrimarySmtpAddress TestUserDistGroup@abc.xyz.com -Type "Security"
Step 6: RBAC access to room mailboxes
For the Room List distribution group for room mailboxes, replace the variables within the quotation marks ( " ) appropriately then run the following PowerShell command for each mailbox:
Add-DistributionGroupMember -Identity "<room Distribution group mailbox>" -Member "<member mailbox>"
Example: Add-DistributionGroupMember -Identity "TestRoomDistGroup@abc.xyz.com" -Member "TestRoom1@abc.xyz.com"
We suggest verifying the successful addition of one or two mailboxes to the distribution group using the script, before adding the remaining mailboxes.
Step 7: RBAC accessibility to Service account user
For the Security distribution group for group members, replace the variables within the quotation marks ( " ) appropriately then run the following PowerShell command:
Add-DistributionGroupMember -Identity "<user Distribution group mailbox>" -Member "<member mailbox>"
Example: Add-DistributionGroupMember -Identity "TestUserDistGroup@abc.xyz.com" -Member "TestUser1@abc.xyz.com"
Step 8: Create new management role assignment and assign distribution group members
In the following PowerShell script, replace the variables within the quotation marks ( " ) with the Application ID, Object ID, or display name for the service principal and the Application ID, Object ID, display name, or email address for the security distribution group, then execute the command to create a new management role assignment and add scope for the security distribution group.
New-ManagementRoleAssignment [[-Name] <String>] -App "<ObjectID, AppID, or DisplayName>" -Role "Application EWS.AccessAsApp" -RecipientGroupScope "<ObjectId, DisplayName, or email address of user Distribution group>"
Example: New-ManagementRoleAssignment -Name TestMgmtRole -App "5d123456-2345-41cd-a2c3-d671a3162bc1" -Role "Application EWS.AccessAsApp" -RecipientGroupScope "TestUserDistGroup@abc.xyz.com"
Step 9: Post deployment step: Test Service Principal Access for service account user
Run the following PowerShell command to test the service principal access for the service account user. Replace the variables within the quotation marks ( " ) with the Application ID you copied in Step 2 and the email address of the security distribution group.
Test-ServicePrincipalAuthorization -Identity "<Application ID in AAD>" -Resource "<ResourceMailboxAddress>" | Format-Table
Example: Test-ServicePrincipalAuthorization -Identity "5d123456-0999-41cd-a2c3-d671a3162bc1" -Resource "TestUser1@abc.xyz.com" | Format-Table