Microsoft
      Back to home
      1. Knowledge base
      2. Integrations
      3. Microsoft

      Configure Role Based Access Control (RBAC) in Microsoft Exchange Online

      Set up and configure Role Based Access Control (RBAC) for Applications in Exchange Online to restrict access to specified rooms/calendars

      PROCESS

      Prerequisites:

      We recommend using group(s) to assign access to the calendar of specific rooms. When using groups for this purpose, the requirement is to use mail enabled group(s).

      Create a group where the rooms to be access by the Neowit platform are made members.

      Additional info:

      Microsoft article to support the setup of RBAC:
      https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

       

      Commands (PowerShell):


      ServicePrincipal

      Service Principals represent an instance of an application within your tenant. In this scenario an instance of the Neowit application we created in step 3 of the <Graph calendar integration> description.

      New-ServicePrincipal -AppId <Client Application ID in AAD> -ObjectId <Service principal object ID in AAD> -DisplayName <name>

      Like this example:

      New-ServicePrincipal -AppId "c13e6d7f-f7da-438d-9ca4-22e0abe4de37" -ObjectId "5abb569a-c03c-4c75-bc9d-f63c12f72e5f" -DisplayName "Role Based Access Control for App NeowitGraphCalendar"

      graph_api_app_reg

       

      Management Scopes

      Management scopes allow an admin to scope a set of mailboxes based on the properties of these objects.

      $DG = Get-DistributionGroup -Identity "<name of group created>"

      New-ManagementScope -Name <choice of name> -RecipientRestrictionFilter “MemberOfGroup -eq '$($DG.DistinguishedName)'"

      Like this example:

      $DG = Get-DistributionGroup -Identity "Neowit Room Calendar Access"

      New-ManagementScope -Name "rbac_neowit" -RecipientRestrictionFilter “MemberOfGroup -eq '$($DG.DistinguishedName)'"

       

      Management Role Assignments

      Management role assignments tie together a principal, role, and custom resource scope of access

      New-ManagementRoleAssignment -App <ObjectId> -Role "Application Calendars.ReadWrite” -CustomResourceScope <Name of Management Scope>

      Like this example:

      New-ManagementRoleAssignment -App "5abb569a-c03c-4c75-bc9d-f63c12f72e5f" -Role "Application Calendars.ReadWrite” -CustomResourceScope "rbac_neowit"

       

      Please notice

      Exchange Online caches permissions so it can take up to 30 minutes before the management role assignment is effective. Please wait 30 minutes before you proceed and test.