TABLE OF CONTENT


1. General

Exchange Online is integrated through the Microsoft Graph API with role-based access control (RBAC). 


Setup requires configuration in Microsoft Entra ID, Exchange Online (PowerShell), and the sklera CMS



1.1 Microsoft Entra ID

1.1.1 Register App

  • To set up the integration, you must register an application in Microsoft Entra ID.
    Go to the Microsoft Entra admin center: https://entra.microsoft.com.

    In the portal, navigate to "Entra ID > App registrations" and select "New registration".


  • Enter a name for your app and specify the appropriate redirect URI. Then click "Register".

    Note: The redirect URI depends on your sklera Cloud variant.

    sklera Cloud variantRedirect URI
    sklera Public Cloudhttps://my.sklera.tv/oauth/microsoft/callback
    sklera Private Cloudhttps://<YOUR_CMS_URL>/oauth/microsoft/callback



  • Make a note of the Application (client) ID and the Directory (tenant) ID.
    You'll need these later in the sklera Room Manager to link the calendars. 



1.1.2 Create a client secret

  • In "Certificates & secrets", create a new client secret. Click "New client secret".

  • Optionally enter a description and set the expiration period.
    Then click "Add".



  • Copy the Value of the client secret. You'll need it later in the sklera Room Manager to establish the connection.



1.1.3 Note the enterprise app properties

  • Select "Enterprise apps" and locate your app (for example, sklera Exchange Connector).
    Copy the Application ID and Object ID. You'll need these later in Exchange Online to create a service principal.



1.1.4 Add API permissions

To add rooms graphically in Room Manager, the app requires access to your room lists.

If the required API permission (Place.Read.All) is not granted, new rooms can only be added by entering the SMTP address (Input Room Address). Graphical selection is not available in this case.


Example of graphical room selection:


If you don't use room lists or don't want to grant the API permission, you can skip the following steps and continue with section 1.1.5.


  • Go to "API permissions".

  • Click "Add a permission".

  • Select "Microsoft Graph".

  • Select "Application Permissions".

  • Search for "Place" and select "Place.Read.All".

  • Grant admin consent by clicking "Grant admin consent for ....".

  • Click "Yes".



1.1.5 Configure access permissions for room mailboxes – Part 1/2

The sklera Room Manager can access only mailboxes that are members of a specified security group or that are included in a defined management scope. Access to other mailboxes is not possible.


To configure this, a security group or a management scope must be created, and the required role (permission) must be assigned by using a management role assignment.


OptionNote
A: Security group

or

B: Management scope

Simple method, recommended for most customers.
The Room Manager's access permissions to Exchange are controlled by the rooms membership in a security group.

Advanced method, for specialized requirements.
The Room Manager's access permissions to Exchange are controlled through a management scope based on any attribute (for example, mailbox type, alias, or location).


Role (permission)

Purpose

Note
Application Calendars.ReadWrite

or

Application Calendars.Read

Read and write access to calendars


Required if the Room Manager will create, modify, or delete appointments in Exchange (return channel).

Read access to calendars

Sufficient if only read access to appointments in Exchange is required (no return channel).


Important: Changes to permissions in Microsoft Entra ID may take some time to take effect due to replication and caching.




With this option, access permissions are controlled through the room mailboxes' membership in a security group.


  • Create a new security group by going to the "Groups" menu and clicking "New group".

  • Enter a name for the security group, and then click "Create".

  • Go to "All groups" and select the security group you just created.

  • Note the Object ID. You'll need it later in the Exchange Online (PowerShell) section to create a management role assignment.

  • Go to "Members" and click "Add members".

  • Search for the rooms you want to add, and then click "Select" to add them to the group.




Option B (advanced method, for specialized requirements – management scope)

With this option, access permissions are controlled through the room mailboxes' membership in a management scope.
The management scope can be defined based on any attribute (for example, mailbox type, alias, or location).


Setup is done exclusively through PowerShell and is described below.




1.2 Exchange Online (PowerShell)

1.2.1 Connect to Exchange Online

  • Open PowerShell and connect to Exchange Online.
Connect-ExchangeOnline



1.2.2 Create a room list 

To add room mailboxes graphically in the sklera Room Manager, they must be added to a room list. If no room lists exist, new rooms can only be added by entering the SMTP address (Input Room Address). Graphical selection is not available in this case.

You can use the following PowerShell commands to create room lists and add the desired room mailboxes.


  • Create the room list "Vienna":
New-DistributionGroup Vienna -Type distribution -RoomList


  • Add the room mailbox "Galileo" to the room list "Vienna":
Add-DistributionGroupMember -Identity Vienna -Member galileo



1.2.3 Create a service principal for your app

  • To assign the required permissions via a management role assignment, you must create a service principal in Exchange Online.
New-ServicePrincipal -AppId aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa -ObjectId oooooooo-oooo-oooo-oooo-oooooooooooo -DisplayName "skleraExchangeConnector"
ParameterDescription
-AppId

The Application ID of your enterprise app from the "Enterprise apps" menu.

-ObjectId

The Object ID of your enterprise app from the "Enterprise applications" menu.

-DisplayName

Any name for the service principal.



1.2.4 Configure access permissions for room mailboxes – Part 2/2

The required role (permission) is assigned through a management role assignment and limited to the members of the security group


  • Create a management role assignment
New-ManagementRoleAssignment -App oooooooo-oooo-oooo-oooo-oooooooooooo -Role "Application Calendars.ReadWrite" -RecipientGroupScope ssssssss-ssss-ssss-ssss-ssssssssssss -Name SKLERA_GRAPH_CALENDARS_READWRITE


ParameterDescription
-App

The Object ID of your enterprise app from the "Enterprise applications" menu (this matches the Object ID of your service principal in Exchange Online).

-RoleApplication Calendars.ReadWrite or Application Calendars.Read.
-RecipientGroupScope

The ID of the security group you created earlier.

-Name

Any name for the management role assignment.




Continuation of Option B (advanced method, for specialized requirements – management scope)

In the following example, a management scope is created that includes all mailboxes of type RoomMailbox whose alias starts with room-at-.


  • Create a management scope
New-ManagementScope -Name "sklera_allowedRooms_scope" -RecipientRestrictionFilter "RecipientTypeDetails -eq 'RoomMailbox' -and Alias -like 'room-at-*'"


Note: You can customize the command with your own filters as needed.

See also:
https://learn.microsoft.com/en-us/powershell/module/exchange/new-managementscope?WT.mc_id=M365-MVP-- 6771&view=exchange-ps


https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/new-managementscope?WT.mc_id=M365-MVP-6771&view=exchange-ps#-recipientrestrictionfilter


https://learn.microsoft.com/en-us/powershell/exchange/recipientfilter-properties?WT.mc_id=M365-MVP-6771&view=exchange-ps



The required role (permission) is assigned through a management role assignment to the room mailboxes included in the management scope.


  • Create a management role assignment
New-ManagementRoleAssignment -App oooooooo-oooo-oooo-oooo-oooooooooooo -Role "Application Calendars.ReadWrite" -CustomResourceScope "sklera_allowedRooms_scope" -Name SKLERA_GRAPH_CALENDARS_READWRITE
ParameterDescription
-App

The Object ID of your enterprise app from the "Enterprise applications" menu (this matches the Object ID of your service principal in Exchange Online).

-RoleApplication Calendars.ReadWrite or Application Calendars.Read.
-CustomResourceScope 

The name of the management scope you created earlier.

-Name

Any name for the management role assignment.



1.2.5 Test access permissions

You can use the following command to check whether the sklera Room Manager has access to the specified room mailbox.

Test-ServicePrincipalAuthorization -Identity oooooooo-oooo-oooo-oooo-oooooooooooo -Resource galileo
ParameterDescription
-Identity

The Object ID of your enterprise app from the "Enterprise applications" menu (this matches the Object ID of your service principal in Exchange Online).

-Resource

The name of the room mailbox.


InScope must be True for access to the corresponding mailbox to be possible.



1.3 sklera CMS

1.3.1 Sign in to the sklera CMS

  • Sign in with a sklera user account that has access to the Room Manager module.


1.3.2 Connect Microsoft Graph calendar

  • Go to "Modules > Room Manager" and, in the "Microsoft 365 (Graph)" section, click "Link Calendar".

  • Enter the Tenant ID, Client ID, and Client Secret from "Entra ID admin center > App registrations" and then click "Save"
  • Sign in with your Microsoft administrator account and accept the requested permissions.



1.3.3 Add or edit calendars

After the connection is established, you can select the authorized calendars in the sklera Room Manager.



2. General notes

2.1 Resource mailboxes with AutoAccept enabled

If automatic acceptance of meeting requests is enabled for resource mailboxes in your Exchange environment, the meeting subject in the calendar is replaced by the organizer's name.
This is standard Exchange behavior and occurs because "AddOrganizerToSubject" and "DeleteSubject" are set to "True".


See: https://learn.microsoft.com/en-us/troubleshoot/exchange/client-connectivity/calendar-shows-organizer-name 


Solution: Open the Exchange Management Shell and run the following command:

Set-CalendarProcessing -Identity <RESOURCEMAILBOX> -DeleteSubject $False -AddOrganizerToSubject $False
Note: This setting applies only to new appointments, not to existing ones.



3. Further external links