TABLE OF CONTENTS
- 1. Own Exchange Server (on premises)
- 2. Office 365 / Exchange Online integration with RBAC access control
- 2.1 Microsoft Entra ID
- 2.2 Exchange Online (PowerShell)
- 2.3 sklera CMS
- 3. General notes
- 4. Further external links
1. Own Exchange Server (on premises)
To display calendar entries from Exchange in sklera, the EWS interface is used.
Configurations must be made on the Exchange Server and in the sklera CMS.
1.1 Exchange Server
1.1.1 Create room list
In order for room mailboxes to be read by sklera, they must be added to a room list.
If your organization does not have any room lists set up yet, you can create them by using the following PowerShell command and then add the desired room mailboxes to the lists.
Example:
Room List == Vienna
Room Mailbox == galileo
1.1.2 Grant access to the calendars of the mailboxes
Option A: Add-MailboxFolderPermission
Example for room mailbox "galileo" and service account "sklera":
Option B: EWS Impersonation
The service account used requires the impersonation role in Exchange. Access to selected mailboxes can be restricted using a Management Scope.
Further information on setting up the relevant objects in Exchange can be found here:
https://sklera.freshdesk.com/en/support/solutions/articles/8000108332-notes-on-impersonation
1.2 sklera CMS
1.2.1 Link calendars
The link with an Exchange calendar must be set up in the sklera CMS under "Modules > Room Manager > Connections & Settings > Exchange / Office365". To do this, click on the "Link Calendar" button.
1.2.2 Enter connection data
EWS URL | Address of the Exchange EWS endpoint (e.g. https://SERVER/EWS/Exchange.asmx) |
Server Version | Select Exchange version number (if in doubt, do not change) |
SSL Validation | SSL enable / disable |
Auth Type | Select login type. Basic or NTLM is supported |
| EWS Impersonation | Enable/disable impersonation (configuration on the Exchange Server is necessary) |
| Username | Enter the login name (email address) of an authorized user / service account |
Password | Password of the authorized user / service account |
1.2.3 Add / edit calendar
After a successful connection, the authorized calendars of the user account will be available for selection under the "Rooms" menu when adding a new room or editing an existing one.
2. Office 365 / Exchange Online integration with RBAC access control
Configurations must be made in Microsoft Entra ID, Exchange Online, and the sklera CMS.
2.1 Microsoft Entra ID
2.1.1 Register app
For sklera on-premise or private cloud customers, it is necessary to register an app in Microsoft Entra ID (formerly Azure AD) at https://entra.microsoft.com/. To do this, click on the "Applications > App registrations" menu item and then click the "New Registration" button.
2.1.2 Note app information
These will be needed later in the sklera Room Manager to link the calendars.
The following IDs must be noted:
- Application (client) ID
- Directory (tenant) ID
2.1.3 Create client secret
In the "Certificates & Secrets" menu item, a client secret must be created. To do this, click on the "New Client Secret" button.
2.1.4 Note the value of the client secret
The value of the "client secret" will be needed later in the sklera Room Manager to link the calendars.
2.1.5 Note enterprise app information
Click on the "Applications > Enterprise applications" menu item and select your app (e.g., sklera Exchange Connector).
The following IDs must be noted:
- Object ID
The information will be needed later in Exchange Online to create a service principal.
2.1.6 Restrict access to the room mailboxes - Part 1/2
Option A: Using Recipient Group Scope
A security group is created, and all mailboxes that the sklera CMS should have access to are added as members.
Info: The mailbox that will later be specified in the sklera Room Manager when linking the calendar (Field: Valid SMTP Address) must also be a member of the security group (necessary for querying the room lists).
Note the Object ID of the security group. The Object ID will be needed later in Exchange Online to create the management role assignments.
Option B: Using Custom Resource Scope
A management scope is created using a RecipientRestrictionFilter instead of a security group.
The procedure is described in the Exchange Online (PowerShell) section below.
2.2 Exchange Online (PowerShell)
2.2.1 Open Microsoft PowerShell and connect to Exchange Online
Connect-ExchangeOnline
2.2.2 Create a room list (if not already existing)
In order for room mailboxes to be accessed by sklera, they must be added to a room list.
If your organization does not have any room lists set up yet, you can create them by using the following PowerShell command and then add the desired room mailboxes to the lists.
Example
2.2.3 Create a service principal for the previously created app
Info: For AppId and ObjectId, use the data from the "Enterprise Applications" menu (not from the "App registrations" menu).
2.2.4 Restrict access to the room mailboxes - Part 2/2
Option A: Using Recipient Group Scope
Access permissions are determined by the members of the previously created security group.
>> Create Management Role Assignment:
-App = Object ID from the "Enterprise applications" menu.
-RecipientGroupScope = Object ID of the previously created security group.
Option B: Using Custom Resource Scope
Access permissions are determined by a management scope.
In the following example, a distribution group is created that includes all mailboxes that the sklera CMS should have access to. Subsequently, a management scope is created that references the distinguished name of the distribution group using -RecipientRestrictionFilter "MemberOfGroup".
Info: The mailbox that will later be specified in the sklera Room Manager when linking the calendar (Field: Valid SMTP Address) must also be a member of the distribution group (necessary for querying the room lists).
>> Create Distribution Group and Management Scope:
# Distribution Group z.B. “sklera-allowedRooms” erstellen. New-Distributiongroup -name "sklera-allowedRooms" -Displayname "sklera-allowedRooms" -Type "Distribution" # Gewünschte Räume (z.B. Tesla) in die Group aufnehmen. Add-DistributionGroupMember -Identity "sklera-allowedRooms" -Member "Tesla" # Variable mit Distinguished Name der Distribution Group erstellen. $DistGroupDN = $(Get-DistributionGroup sklera-allowedRooms@sklera.onmicrosoft.com).DistinguishedName # Management Scope z.B. “sklera-allowedRooms-scope” anlegen. New-ManagementScope -Name sklera-allowedRooms-scope -RecipientRestrictionFilter "MemberOfGroup -eq '$DistGroupDN'"
Note the name of the management scope. The name will be needed to create the management role assignment.
Info: Instead of the distribution group, any other RecipientRestrictionFilter could also be used for the management scope (e.g., RecipientTypeDetails -eq "RoomMailbox").
>> Create Management Role Assignment:
-App = Object ID from the "Enterprise applications" menu.
-CustomResourceScope = Name of the previously created management scope.
2.2.5 Test access permissions
The test indicates whether sklera has access to the specified room mailbox or not: inScope = True / False.
-Identity = Object ID from the "Enterprise applications" menu.
-Resource = Name of the room mailbox.
RoleName | GrantedPermission | AllowedResourceScope | ScopeType | InScope |
| Application EWS.AccessAsApp | EWS.AccessAsApp | ssssssss-ssss-ssss-ssss-ssssssssssss | Group | True |
2.3 sklera CMS
2.3.1 Link calendar
The connection to an Exchange calendar must be set up in the sklera CMS under "Modules > Room Manager > Connections & Settings > Exchange / Office365" To do this, click on the "Link Calendar" button.
2.3.2 Enter connection data
| EWS URL | Exchange Online URL (do not change) |
| Server Version | Select Exchange2016 |
| SSL Validation | SSL validation must be enabled |
| EWS Impersonation | EWS impersonation must be enabled |
| Valid SMTP Address | A valid email address must be entered (necessary for querying the room lists). This can be, for example, the SMTP address of a room or a separate mailbox that is within the scope. |
| Auth Type | Select Office365 OAuth 2.0 (Application Permission) |
| Azure TenantID | Enter the previously noted Directory (tenant) ID (from the App registrations menu) |
| Azure App ID | Enter the previously noted Application (client) ID (from the App registrations menu) |
| Azure App Secret | Enter the previously noted value of the client secret (from the App registrations menu) |
2.3.3 Add / edit calendar
After a successful connection, the authorized calendars of the user account will be available for selection under the "Rooms" menu when adding a new room or editing an existing one.
3. General notes
3.1 Resource mailboxes with the AutoAccept function enabled
If the automatic acceptance of meeting requests is enabled for resource mailboxes in your Exchange environment, the subject of the appointment in the calendar will be replaced by the name of the organizer.
This is standard behavior in Exchange and occurs because AddOrganizerToSubject and DeleteSubject are set to "True."
Solution:
Open the Exchange Management Shell and run the following command:
Info: This setting only affects new appointments and not existing ones.
3.2 Room mailboxes hidden from the Global Address List (GAL)
In order for room mailboxes to be linked with the Room Manager, they must be present in the Global Address List (GAL) in Exchange.
If necessary, room mailboxes can be hidden from the Global Address List after they have been linked with the Room Manager.
4. Further external links
- Establishing a connection to Exchange Online PowerShell
https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps - Creating and managing room mailboxes
https://learn.microsoft.com/en-us/exchange/recipients/room-mailboxes?view=exchserver-2019