Skip to main content

 

Eptura Knowledge Center

RBAC for Applications in Exchange Online

Microsoft is ending support for Role Based Access Control (RBAC) for Application Impersonation in Exchange Online. Condeco Exchange Sync customers still using this old technology must now implement RBAC for Applications in Exchange Online, which does not use the Application Impersonation role.

Why this matters

Condeco Exchange Sync used RBAC for Application Impersonation to create and manage calendar events in Microsoft Exchange resource calendars using Exchange Web Services (EWS). Moving to RBAC for Applications allows Exchange Sync to continue to access these calendars when Microsoft removes support for RBAC for Application Impersonation.

More information at Microsoft

Condeco Microsoft 365 integration (Smart Calendar) customers are unaffected by this change.

How to move Exchange Sync service to RBAC for Applications


Condeco's Exchange Sync uses Role Based Access Control (RBAC) for Applications to create and manage events in Microsoft Exchange resource calendars. Follow the steps to control access to resource calendars with RBAC for Applications.

Admin consent must be provided before executing the Powershell commands described below. To grant admin consent:

  1. Start the Token app with the appropriate URL:
    1. For a Production/Pilot environment, use https://condecotokenapp.condecosoftware.com
    2. For a UAT/Trial environment, use https://condecouattokenapp.condecosoftware.com
  2. Click Grant Admin Consent.
    rbac 01.png
  3. Enter your Microsoft 365 admin account credentials to open the 'Permissions requested' popup window. Review the requested permissions and click Accept to continue.
    rbac 02.png
    Learn more: https://learn.microsoft.com/en-us/ex...lication-roles
Step 2: Verify token provider app registration and copy IDs
  1. Open Microsoft Azure portal and navigate to 'Enterprise applications' to verify the token provider app is registered.
  2. Copy the Application ID and Object ID values as you will need them later.
    rbac 03.png
Step 3: Connect to Exchange Online

Open Windows PowerShell and execute the following to connect to Exchange Online:

Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline
Step 4: Create a service principal for the registered app

In the following PowerShell script, replace the variables within the quotation marks ( " ) with the Application ID and Object ID you copied in Step 2, and a display name for the service principal, then execute the command:

New-ServicePrincipal -AppId "<Application ID>" -ObjectId "<Object ID>" -DisplayName "<name>"

Example: New-ServicePrincipal -AppId "5d123456-2345-41cd-a2c3-d671a3162bc1" -ObjectId "f8d98a96-2345-41cd-a2c3-69971c7bb423" -DisplayName "TestServicePrincipal"

Step 5: Create distribution groups to manage roles

Avoid assigning roles directly to users and assign roles to groups instead. As well as being easier to manage, this helps to minimize the number of role assignments, which are limited per subscription. Learn morehttps://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-rbac-limits

Two distribution groups are required:

  • Room List distribution group: Contains all Exchange rooms mailboxes that you want to access through the service principal. This must be a Room List distribution group type.
  • Security distribution group: Contains the users that have access to the service principal. 

Distribution groups already exist? If your Room and Security distribution lists already exist, jump to the next step.

Run the following two PowerShell commands to create the distribution groups. Replace the variables within the quotation marks ( " ) appropriately.

  1. Create a Room List distribution group:
New-DistributionGroup -Name <name> -DisplayName "<DisplayName of room Distribution group>" –PrimarySmtpAddress "<Distribution group mailbox>" –RoomList

Example: New-DistributionGroup -Name TestRoomDistGroup -DisplayName "Test Room Dist group" –PrimarySmtpAddress TestRoomDistGroup@abc.xyz.com –RoomList

  1. Create a Security distribution group:
New-DistributionGroup -Name <name> -DisplayName "<DisplayName of user Distribution group>" –PrimarySmtpAddress "<Distribution user group mailbox>" –Type "Security"

Example: New-DistributionGroup -Name TestUserDistGroup -DisplayName "Test User Dist group" –PrimarySmtpAddress TestUserDistGroup@abc.xyz.com -Type "Security"

Step 6: RBAC access to room mailboxes

For the Room List distribution group for room mailboxes, replace the variables within the quotation marks ( " ) appropriately then run the following PowerShell command for each mailbox:

Add-DistributionGroupMember -Identity "<room Distribution group mailbox>" -Member "<member mailbox>"

Example: Add-DistributionGroupMember -Identity "TestRoomDistGroup@abc.xyz.com" -Member "TestRoom1@abc.xyz.com"

We suggest verifying the successful addition of one or two mailboxes to the distribution group using the script, before adding the remaining mailboxes.

Step 7: RBAC accessibility to Service account user

For the Security distribution group for group members, replace the variables within the quotation marks ( " ) appropriately then run the following PowerShell command:

Add-DistributionGroupMember -Identity "<user Distribution group mailbox>" -Member "<member mailbox>"

Example: Add-DistributionGroupMember -Identity "TestUserDistGroup@abc.xyz.com" -Member "TestUser1@abc.xyz.com"

Step 8: Create new management role assignment and assign distribution group members

In the following PowerShell script, replace the variables within the quotation marks ( " ) with the Application IDObject ID, or display name for the service principal and the Application IDObject IDdisplay name, or email address for the security distribution group, then execute the command to create a new management role assignment and add scope for the security distribution group.

New-ManagementRoleAssignment [[-Name] <String>] -App "<ObjectID, AppID, or DisplayName>" -Role "Application EWS.AccessAsApp" -RecipientGroupScope "<ObjectId, DisplayName, or email address of user Distribution group>"

Example: New-ManagementRoleAssignment -Name TestMgmtRole -App "5d123456-2345-41cd-a2c3-d671a3162bc1" -Role "Application EWS.AccessAsApp" -RecipientGroupScope "TestUserDistGroup@abc.xyz.com"

Step 9: Post deployment step: Test Service Principal Access for service account user

Run the following PowerShell command to test the service principal access for the service account user. Replace the variables within the quotation marks ( " ) with the Application ID you copied in Step 2 and the email address of the security distribution group.

Test-ServicePrincipalAuthorization -Identity "<Application ID in AAD>" -Resource "<ResourceMailboxAddress>" | Format-Table

Example: Test-ServicePrincipalAuthorization -Identity "5d123456-0999-41cd-a2c3-d671a3162bc1" -Resource "TestUser1@abc.xyz.com" | Format-Table

Good to know


  • Any changes to the already created management role assignments, i.e. adding a new mailbox to the distribution group, can take up to 2 hours to reflect the token generation for that mailbox.

  • If no custom scope is provided when creating the management role assignment, the token generated via such an app works for the whole tenant.

Exchange Sync home