TABLE OF CONTENTS
- 1. General Information
- 2. Migration
1. General Information
Microsoft has removed the RBAC role "ApplicationImpersonation" as of February 2025.
As a result, the method previously used in sklera (Office365 OAuth 2.0 User Permission) for Exchange Online (Office365) integration is no longer functional.
With this transition, sklera must now use Application Permissions instead of Delegated (User) Permissions. The permissions for the app are managed through a Management Role Assignment and RBAC for Applications. No special API permissions are required for the app. As before, this ensures that the sklera app only has access to specific corporate mailboxes.
2. Migration
The following steps are necessary to transition to (Office365 OAuth 2.0 Application Permission).
2.1 Microsoft Entra ID
2.1.1 Note app information
Go to https://entra.microsoft.com/, click on the "Applications > App registrations" menu item and select your app (e.g., sklera Exchange Connector).
The following IDs must be noted:
- Application (client) ID
- Directory (tenant) ID
This information will be needed later in the sklera Room Manager to establish the Exchange connection.
2.1.2 Create Client Secret
If you do not know your previously used client secret, a new one must be created.
To do this, navigate to the "Certificates & Secrets" menu item and click on the "New Client Secret" button.
2.1.3 Note the value of the Client Secret
The value of the "Client Secret" will be needed later in the sklera Room Manager to establish the Exchange connection.
2.1.4 Note Enterprise App Information
Click on the "Applications > Enterprise applications" menu item and select your app (e.g. sklera Exchange Connector).
The following IDs must be noted:
- Application ID
- Object ID
This information will be needed later in Exchange Online to create a service principal.
2.2 Exchange online (PowerShell)
2.2.1 Open Microsoft PowerShell and connect to Exchange Online
Connect-ExchangeOnline
2.2.2 Create a service principal for the app
New-ServicePrincipal -AppId aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa -ObjectId oooooooo-oooo-oooo-oooo-oooooooooooo -DisplayName "skleraExchangeConnector"
Info: For AppId and ObjectId, use the data from the "Enterprise Applications" menu (not from the "App registrations" menu).
2.2.3 Create Management Role Assignment
Access permissions to the room mailboxes can still be defined by specifying the existing custom resource scope.
New-ManagementRoleAssignment -App oooooooo-oooo-oooo-oooo-oooooooooooo -Role "Application EWS.AccessAsApp" -CustomResourceScope "sklera-allowedRooms-scope" -Name SKLERA_EWS_ACCESS
-App = Object ID from the "Enterprise applications" menu
-CustomResourceScope = Name of the existing management scope
Info: If you do not know the name of your previously used management scope, it can be retrieved using the command Get-ManagementScope.
2.2.4 Remove the Previously Used Management Role Assignment
The previously used management role assignment, which assigned the "ApplicationImpersonation" role and the management scope to a service user, can be removed.
2.2.5 Test Access Permissions
The test indicates whether sklera has access to the specified room mailbox: inScope = True / False.
Test-ServicePrincipalAuthorization -Identity oooooooo-oooo-oooo-oooo-oooooooooooo -Resource galileo
-Identity = Object ID from the "Enterprise applications" menu
-Resource = Name of the room mailbox
RoleName | GrantedPermission | AllowedResourceScope | ScopeType | InScope |
| Application EWS.AccessAsApp | EWS.AccessAsApp | sklera-allowedRooms-scope | Group | True |
2.3 sklera CMS
2.3.1 Unlink existing Exchange connection
The existing connection to the Exchange calendars must be unlinked in the sklera CMS in "Modules > Room Manager > Connections & Settings > Exchange / Office365". To do this, click on "Unlink Calendar".
2.3.2 Re-link Calendar
To do this, click on the "Link Calendar" button.
| EWS URL | Exchange Online URL (do not change) |
| Server Version | Select Exchange2016 |
| SSL Validation | SSL validation must be enabled |
| EWS Impersonation | EWS impersonation must be enabled |
| Gültige SMTP Adresse | A valid email address must be entered (necessary for querying the room lists). This can be, for example, the SMTP address of a room or a separate mailbox that is within the scope. |
| Auth Type | Select Office365 OAuth 2.0 (Application Permission) |
| Azure Verzeichnis ID | Enter the previously noted Directory (tenant) ID (from the App registrations menu) |
| Azure App ID | Enter the previously noted Application (client) ID (from the App registrations menu) |
| Azure App Secret | Enter the previously noted value of the client secret (from the App registrations menu) |
2.3.3 Perform test sync of a room
Navigate to the "Rooms" menu and click on "Refresh connected Calendar" for a connected room in the options.
