Control access to calendars

Last updated
Save as PDF

Control access to calendars with a mail-enabled security group and an Application Access Policy, and see how to allow Exchange room invites from external senders.

Control access with a mail-enabled security group and an Application Access Policy
Allow Exchange room invites from external senders

Control access with a mail-enabled security group and an Application Access Policy

Granting consent during the onboarding process allows Graph API to get notifications from all calendars in a Microsoft 365 tenant. We recommend applying an Application Access Policy to restrict access to specific calendars only. The Application Access Policy can either allow or deny notifications to Graph API from members of a mail-enabled security group.

Two types of permissions can be applied to the Application Access Policy, depending on whether you want to ALLOW or DENY access to the calendars of the users added to the mail-enabled security group.

a) Use DenyAccess to deny access to the calendars belonging to the group and allow access to all other calendars.
b) Use RestrictAccess to allow access to the calendars belonging to the group and restrict access to all other calendars.

Learn more about New-ApplicationAccessPolicy at Microsoft: https://docs.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchange-ps/

How is it done?

Use the following PowerShell scripts to create a new mail-enabled security group and create an Application Access Policy to restrict access to specific calendars.

Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential
Import-PSSession $Session -AllowClobber

Create a new mail-enabled security group to manage the calendars that you will either allow or deny access to.

New-DistributionGroup -Name "Enter the name of new security group" -Alias "Enter the Alias" -Type security

Create an Application Access Policy for the mail-enabled security group.

New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "Enter Token Provider AD App ID" -PolicyScopeGroupId "Enter Email Enabled Security Group Mailbox ID" -Description "Restricted Access Group Policy"

-AccessRight: Replace “RestrictAccess” with “DenyAccess” to deny access to the calendars in the security group and allow access to all other calendars.
-AppId: To find your Token Provider AD App ID run Get-AzureADApplication -Filter "DisplayName eq 'Eptura Engage Smart Calendar'"

Microsoft 365 takes at least one hour to replicate changes to the Application Access Policy.

Allow Exchange room invites from external senders

Eptura Engage is capable of supporting Exchange room invites from external users and from accounts with calendars that cannot be subscribed to Eptura Engage. In such cases, bookings are created using the default admin account. While we support this functionality, it might require specific adjustments to your Microsoft Exchange configuration. Depending on your setup, you might need to make the following changes:

Exchange room invites from external users

In some organizations, Microsoft Exchange resources are set to allow meeting invitations from people outside their Exchange environment. A common use of this is to support forwarding an invite from an external person to an Exchange room. By default, this setting is turned off for Exchange calendars, so must be enabled in Exchange before it can be supported by Eptura Engage.

Run the following PowerShell command to allow invites from external people:

Set-CalendarProcessing -Identity "Room A" -ProcessExternalMeetingMessages $true

As people outside your organization do not have user accounts in Eptura Engage, the booking is created by the default admin account.

Exchange room invites from non-subscribed user calendars

There might be scenarios where an invite to an Exchange room is created by an account whose calendar cannot be subscribed to by Eptura Engage. To ensure that the Exchange room and the Eptura Engage space remain synchronized, Eptura Engage creates the booking using the default admin account.

Good to know

Recurrences and multi-room bookings from external users are not currently supported.
The associated booking in Eptura Engage cannot be edited, but can be deleted.
Bookings are created using the default admin account.

Eptura Engage Microsoft 365 integration home

Contents