Configure Role Based Access Control (RBAC) in Microsoft Exchange Online

PROCESS

Prerequisites:

We recommend using group(s) to assign access to the calendar of specific rooms. When using groups for this purpose, the requirement is to use mail enabled group(s).

Create a group where the rooms to be access by the Neowit platform are made members.

Additional info:

Microsoft article to support the setup of RBAC:
https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

Commands (PowerShell):

ServicePrincipal

Service Principals represent an instance of an application within your tenant. In this scenario an instance of the Neowit application we created in step 3 of the <Graph calendar integration> description.

New-ServicePrincipal -AppId <Client Application ID in AAD> -ObjectId <Service principal object ID in AAD> -DisplayName <name>

Like this example:

New-ServicePrincipal -AppId "c13e6d7f-f7da-438d-9ca4-22e0abe4de37" -ObjectId "5abb569a-c03c-4c75-bc9d-f63c12f72e5f" -DisplayName "Role Based Access Control for App NeowitGraphCalendar"

Management Scopes

Management scopes allow an admin to scope a set of mailboxes based on the properties of these objects.

$DG = Get-DistributionGroup -Identity "<name of group created>"

New-ManagementScope -Name <choice of name> -RecipientRestrictionFilter “MemberOfGroup -eq '$($DG.DistinguishedName)'"

Like this example:

$DG = Get-DistributionGroup -Identity "Neowit Room Calendar Access"

New-ManagementScope -Name "rbac_neowit" -RecipientRestrictionFilter “MemberOfGroup -eq '$($DG.DistinguishedName)'"

Management Role Assignments

Management role assignments tie together a principal, role, and custom resource scope of access

New-ManagementRoleAssignment -App <ObjectId> -Role "Application Calendars.ReadWrite” -CustomResourceScope <Name of Management Scope>

Like this example:

New-ManagementRoleAssignment -App "5abb569a-c03c-4c75-bc9d-f63c12f72e5f" -Role "Application Calendars.ReadWrite” -CustomResourceScope "rbac_neowit"