TABLE OF CONTENTS
- 1. Own Exchange Server (on-premises)
- 2. Microsoft 365 / Exchange Online integration with RBAC access control
- 2.1 Microsoft Entra ID
- 2.2 Exchange Online (PowerShell)
- 2.3 sklera CMS
- 3. General notes
- 4. Further external links
1. Own Exchange Server (on-premises)
To display calendar entries from Exchange in sklera, the EWS interface is used.
Note: Configurations must be made on the Exchange Server (PowerShell) and in the sklera CMS.
1.1 Exchange Server
1.1.1 Create room lists (if not already existing)
To ensure that room mailboxes are displayed in the sklera Room Manager, they must be added to a room list.
If your organization does not have any room lists set up yet, you can create them by using the following PowerShell command and then add the desired room mailboxes to the lists.
Example:
Room List == Vienna
Room Mailbox == galileo
# 1. Create room list New-DistributionGroup Vienna -Type distribution -RoomList # 2. Add room mailbox to the room list Add-DistributionGroupMember -Identity Vienna -Member galileo
1.1.2 Grant access to the calendars of the mailboxes
Vairiant A: Add-MailboxFolderPermission
Example for room mailbox "galileo" and service account "sklera":
Add-MailboxFolderPermission -identity “galileo:\Calendar” -user “sklera” -AccessRights Editor
Variant B: EWS Impersonation
The service account used requires the impersonation role in Exchange. Access to selected mailboxes can be restricted using a Management Scope.
Further information on setting up the relevant objects in Exchange can be found here:
https://sklera.freshdesk.com/en/support/solutions/articles/8000108332-notes-on-impersonation
1.2 sklera CMS
1.2.1 Link calendars
The link with an Exchange calendar must be set up in the sklera CMS under "Modules > Room Manager > Connections & Settings > Exchange / Office365". To do this, click on the "Link Calendar" button.
1.2.2 Enter connection data
EWS URL | Address of the Exchange EWS endpoint (e.g. https://SERVER/EWS/Exchange.asmx) |
Server Version | Select Exchange version number (if in doubt, do not change) |
SSL Validation | SSL enable / disable |
Auth Type | Select login type. Basic or NTLM is supported |
| EWS Impersonation | Enable/disable impersonation (configuration on the Exchange Server is necessary) |
| Username | Enter the login name (email address) of an authorized user / service account |
Password | Password of the authorized user / service account |
1.2.3 Add / edit calendar
After a successful connection, the authorized calendars of the user account will be available for selection under the "Rooms" menu when adding a new room or editing an existing one.
2. Microsoft 365 / Exchange Online integration with RBAC access control
Note: Configurations must be made in Microsoft Entra ID, Exchange Online and in the sklera CMS.
2.1 Microsoft Entra ID
2.1.1 Register app
For sklera on-premise or private cloud customers, it is necessary to register an app in Microsoft Entra ID (formerly Azure AD) at https://entra.microsoft.com/. To do this, click on the "Applications > App registrations" menu item and then click the "New Registration" button.
2.1.2 Note app information
These will be needed later in the sklera Room Manager to link the calendars.
The following IDs must be noted:
- Application (client) ID
- Directory (tenant) ID
2.1.3 Create client secret
In the "Certificates & Secrets" menu item, a client secret must be created. To do this, click on the "New Client Secret" button.
2.1.4 Note the value of the client secret
The value of the "client secret" will be needed later in the sklera Room Manager to link the calendars.
2.1.5 Note enterprise app information
Click on the "Applications > Enterprise applications" menu item and select your app (e.g., sklera Exchange Connector).
The following IDs must be noted:
- Object ID
The information will be needed later in Exchange Online to create a service principal.
2.1.6 Restrict access to the room mailboxes - Part 1/2
Variant A (simple method, recommended for smaller companies): Security group
With this variant, access permissions are managed through membership in a security group. A security group is created, and all room mailboxes to which the sklera CMS should have access are added as members. The Object ID of the security group is then specified as a Recipient Group Scope in the Management Role Assignment.
Note:
The mailbox that will later be specified in the sklera Room Manager when linking the calendars (field: Valid SMTP Address) must also be a member of the security group (this is necessary for querying the room lists).
Note the Object ID of the security group. The Object ID will be needed later in the section Exchange Online (Powershell) to create the management role assignment.
Variant B (advanced method, recommended for more complex requirements): Management Scope
With this variant, access permissions can be defined based on any mailbox properties, such as group membership, mailbox type, or location. A flexible management scope is created instead of a security group.
The management scope is then specified as a custom resource scope in the management role assignment.
The procedure is described in detail below in the section Exchange Online (PowerShell).
2.2 Exchange Online (PowerShell)
2.2.1 Open Microsoft PowerShell and connect to Exchange Online
Connect-ExchangeOnline
2.2.2 Create room lists (if not already existing)
To ensure that room mailboxes are displayed in the sklera Room Manager, they must be added to a room list.
If your organization does not have any room lists set up yet, you can create them by using the following PowerShell command and then add the desired room mailboxes to the lists.
Example:
# Room List == Vienna, Room Mailbox== galileo # 1. Create Room List New-DistributionGroup Vienna -Type distribution -RoomList # 2. Add room mailbox to the room list Add-DistributionGroupMember -Identity Vienna -Member galileo
2.2.3 Create a service principal for the previously created app
New-ServicePrincipal -AppId aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa -ObjectId oooooooo-oooo-oooo-oooo-oooooooooooo -DisplayName "skleraExchangeConnector"
Info: For AppId and ObjectId, use the data from the "Enterprise Applications" menu (not from the "App registrations" menu).
2.2.4 Restrict access to the room mailboxes - Part 2/2
Continuation of Variant A: Security Group
>> Create Management Role Assignment:
New-ManagementRoleAssignment -App oooooooo-oooo-oooo-oooo-oooooooooooo -Role "Application EWS.AccessAsApp" -RecipientGroupScope ssssssss-ssss-ssss-ssss-ssssssssssss -Name SKLERA_EWS_ACCESS
-RecipientGroupScope = Object ID of the previously created security group.
Continuation of Variant B: Management Scope
In the following example, a management scope is created that uses the parameter -RecipientRestrictionFilter "MemberOfGroup -eq '$DistGroupDN'" to reference the distinguished name of a distribution group. The distribution group contains all room mailboxes that the CMS should have access to.
Note: Instead of using a distribution group and "MemberOfGroup -eq '$DistGroupDN'", you could also use another RecipientRestrictionFilter for the management scope (for example, RecipientTypeDetails -eq "RoomMailbox" to include all room mailboxes in the scope).
See also:
- https://learn.microsoft.com/en-us/powershell/module/exchange/new-managementscope?WT.mc_id=M365-MVP-6771&view=exchange-ps
- https://learn.microsoft.com/en-us/powershell/module/exchange/new-managementscope?WT.mc_id=M365-MVP-6771&view=exchange-ps#-recipientrestrictionfilter
- https://learn.microsoft.com/en-us/powershell/exchange/recipientfilter-properties?WT.mc_id=M365-MVP-6771&view=exchange-ps
Note: The mailbox that will later be specified in the sklera Room Manager when linking the calendars (field: Valid SMTP Address) must also be included in the scope (i.e., be a member of the distribution group). This is necessary for querying the room lists.
>> Create Distribution Group and Management Scope:
# Create Distribution Group e.g. "sklera-allowedRooms”. New-Distributiongroup -name "sklera-allowedRooms" -Displayname "sklera-allowedRooms" -Type "Distribution" # Add the desired rooms (e.g., Tesla) to the group. Add-DistributionGroupMember -Identity "sklera-allowedRooms" -Member "Tesla" # Create a variable with the distinguished name of the distribution group. $DistGroupDN = $(Get-DistributionGroup sklera-allowedRooms@sklera.onmicrosoft.com).DistinguishedName # Create Management Scope e.g. “sklera-allowedRooms-scope”. New-ManagementScope -Name sklera-allowedRooms-scope -RecipientRestrictionFilter "MemberOfGroup -eq '$DistGroupDN'"
Note the name of the management scope. The name will be needed to create the management role assignment.
>> Create Management Role Assignment:
New-ManagementRoleAssignment -App oooooooo-oooo-oooo-oooo-oooooooooooo -Role "Application EWS.AccessAsApp" -CustomResourceScope "sklera-allowedRooms-scope" -Name SKLERA_EWS_ACCESS
-App = Object ID from the "Enterprise applications" menu.
-CustomResourceScope = Name of the previously created management scope.
2.2.5 Test access permissions
The test indicates whether sklera has access to the specified room mailbox or not: inScope = True / False.
Test-ServicePrincipalAuthorization -Identity oooooooo-oooo-oooo-oooo-oooooooooooo -Resource galileo
-Identity = Object ID from the "Enterprise applications" menu.
-Resource = Name of the room mailbox.
RoleName | GrantedPermission | AllowedResourceScope | ScopeType | InScope |
| Application EWS.AccessAsApp | EWS.AccessAsApp | ssssssss-ssss-ssss-ssss-ssssssssssss | Group | True |
2.3 sklera CMS
2.3.1 Link calendar
The connection to an Exchange calendar must be set up in the sklera CMS under "Modules > Room Manager > Connections & Settings > Exchange / Office365" To do this, click on the "Link Calendar" button.
2.3.2 Enter connection data
| EWS URL | Exchange Online URL (do not change) |
| Server Version | Select Exchange2016 |
| SSL Validation | SSL validation must be enabled |
| EWS Impersonation | EWS impersonation must be enabled |
| Valid SMTP Address | A valid email address must be entered (necessary for querying the room lists). This can be, for example, the SMTP address of a room or a separate mailbox that is within the scope. |
| Auth Type | Select Office365 OAuth 2.0 (Application Permission) |
| Azure TenantID | Enter the previously noted Directory (tenant) ID (from the App registrations menu) |
| Azure App ID | Enter the previously noted Application (client) ID (from the App registrations menu) |
| Azure App Secret | Enter the previously noted value of the client secret (from the App registrations menu) |
2.3.3 Add / edit calendar
After a successful connection, the authorized calendars of the user account will be available for selection under the "Rooms" menu when adding a new room or editing an existing one.
3. General notes
3.1 Resource mailboxes with the AutoAccept function enabled
If the automatic acceptance of meeting requests is enabled for resource mailboxes in your Exchange environment, the subject of the appointment in the calendar will be replaced by the name of the organizer.
This is standard behavior in Exchange and occurs because AddOrganizerToSubject and DeleteSubject are set to "True."
Solution:
Open the Exchange Management Shell and run the following command:
Set-CalendarProcessing -Identity <RESOURCEMAILBOX> -DeleteSubject $False -AddOrganizerToSubject $False
Info: This setting only affects new appointments and not existing ones.
3.2 Room mailboxes hidden from the Global Address List (GAL)
In order for room mailboxes to be linked with the Room Manager, they must be present in the Global Address List (GAL) in Exchange.
If necessary, room mailboxes can be hidden from the Global Address List after they have been linked with the Room Manager.
4. Further external links
- Establishing a connection to Exchange Online PowerShell
https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps - Creating and managing room mailboxes
https://learn.microsoft.com/en-us/exchange/recipients/room-mailboxes?view=exchserver-2019