Connect your Door Displays to Microsoft 365 (formerly known as 0365)/Exchange Using Delegate Access

The direct method to connect to a resource to Microsoft 365 (formerly known as 0365) or Exchange is described here. It’s very straightforward and should work for 90% of business environments. It needs a visit in the 0365/Exchange directory where resources are listed and delivers the credentials needed by the door display solution. Reset the password and you’re done. The average skilled Administrator should be able to do this within 5-10 minutes. If the user is not allowed to give consent, and admin approval is required, then how to send an approval request is described here.

In some business environments the way of directly connecting to resource calendars is not preferred. This could be due to enterprise IT policy or other restrictions. For example, hosted Microsoft 365 (formerly known as 0365) products only allow a subset of functionality for configuring meeting rooms. If you cannot access the “native” user interface of Microsoft 365 (formerly known as 0365), you won’t be able to create a password for a meeting room. Let’s look a the alternative method of delegate access. To put in simple words, we connect either to a service account or to a shared mailbox that has been granted “access rights” for multiple meeting rooms. The creation of this account and the assignment of rights takes place in the Microsoft 365 (formerly known as 0365)/Exchange Admin Center (EAC).

Method 1: Service Account

Create a Service Account
  1. Open Exchange Admin Center (EAC) as an administrator.
  2. Go to Users > Active users and click Add a user.

  1. In the new user dialog, enter details of your new user.

    1. This step might require the purchase of a license. Activate the users license and then click Add.

Assign delegate rights to access the events of the resource calendar

The next step is required to grant the permission to edit the calendar events

  1. In the EAC, select recipients and resources.

  1. If you haven’t created a resource yet then click add and read here to create a resource. Select an existing resource and click edit if your resources are already set up.
  2. In the Edit Room Mailbox dialog, select mailbox delegation, scroll down to Full Access and click Add.

  1. Select the service account you created.

  1. Click Add and press Ok. You’ll see the new element in the Edit Room Mailbox dialog.

  1. Click Save.

Resolve “The caller has not assigned any of the RBAC roles requested in the management role header”

The second step is to fullfill another criteria of the RBAC (role based access control) concept. The service_account user needs to be assigned a specific admin role.

  1. Open Exchange Admin Center (EAC) as an administrator to fix the RBAC warning issue.
  2. In the EAC, go to Permissions> Admin roles, select the Discovery Management role group and click Edit.

  1. On the Role Group page, in the Members section, click Add.

  1. In the Select Members dialog, select a user or group and click Add. Finish with OK.

  1. Back on the Role Group page, click Save.
  2. Go to Permissions> Admin roles, select Discovery Management role group. In the details pane on the right, verify that the added user is shown in Members

How to assign “MailboxSearchApplication role in eDiscovery management”

The third step is to allow the service_account user to search for resources.

  1. In the EAC, go to Permissions > Admin roles, select Discovery Management and click Edit
  2. On the Role Group page, in the Roles section, click Add
  3. In the Select a Role dialog, select MailboxSearchApplication and click Add. Finish with OK.

  1. Back on the Role Group page, click Save.
  2. In the EAC, go to Permissions> Admin roles, and select the Discovery Management role group. In the details pane, verify that the added role is shown under Assigned Roles

Method 2: Shared Mailbox

Create a shared mailbox

The first step is required to grant the permission to edit the calendar events.

  1. Open Exchange Admin Center (EAC) as an administrator
  2. Select recipients and shared, then click Add.

  1. In the New shared mailbox dialog, enter the required name and email address and then click Save. In Users, add your administror user here. It’s not needed to add all your meeting room users.

Assign delegate rights to access the events/meetings of the resource/room
  1. In the EAC, select recipients and resources.

  1. If you haven’t created a resource yet then click add and read here to create a resource. Select an existing resource and click edit if your resources are already set up.
  2. In the Edit Room Mailbox dialog, select mailbox delegation, scroll down to Full Access and click Add.

  1. Select the account you created in step 2.
  2. Click Add and press Ok. You’ll see the new element as a result in the Edit Room Mailbox dialog.

  1. Click Save.
Resolve “The caller has not assigned any of the RBAC roles requested in the management role header”

The second step is to fullfill another criteria of the RBAC (role based access control) concept. The shared mailbox user needs to be assigned a specific admin role.

  1. Open Exchange Admin Center (EAC) as an administrator to fix the RBAC (role based access control) issue
  2. In the EAC, go to PermissionsAdmin roles, select the Discovery Management role group and click Edit.

  1. On the Role Group page, in the Members section, click Add.

  1. In the Select Members dialog, select a user or group and click Add. Finish with OK.

  1. Back on the Role Group page, click Save.
  2. Go to PermissionsAdmin roles, select Discovery Management role group. In the details pane on the right, verify that the added user is shown in Members

How to assign “MailboxSearchApplication role in eDiscovery management”

The third step is to allow the shared mailbox delegate user to search for resources.

  1. In the EAC, go to Permissions > Admin roles, select Discovery Management and click Edit
  2. On the Role Group page, in the Roles section, click Add
  3. In the Select a Role dialog, select MailboxSearchApplication and click Add. Finish with OK.

  1. Back on the Role Group page, click Save.
  2. In the EAC, go to PermissionsAdmin roles, and select the Discovery Management role group. In the details pane, verify that the added role is shown under Assigned Roles

Connect to Office Microsoft 365 (formerly known as 0365) Resource calendars

The basic Microsoft Authentication is deprecated after 13 Oct 2020 for Microsoft 365 (formerly known as 0365). The new MS OAuth v2 requires to authenticate the app/user by giving an admin user consent.

Step 1: for Microsoft 365 (formerly known as 0365): Check .asmx link for your meeting room. (You’ll need it in Step 2)
  1. Try https://outlook.office365.com/EWS/Exchange.asmx in your browser. It should ask for credentials.
  2. If the link above does not work, read this article to know about getting the .asmx link for your resource.
Step 2: Connect to Meeting Room Schedule
  1. Install Meeting Room Schedule in your android device.
  2. Tap and select the option Settings from the top right of the main screen.
  3. From the list of options, select Calendar connection.
  4. Select the option Exchange (read the instructions on the screen for more help).
  5. Enter the domain in the first field. For example, yourcompany.com.
  6. Enter the delegate/service account credentials.
  7. Enter the exchange server URL (.asmx) obtained from step 1.
  8. Turn on the switch Use delegate/service account.
  9. A new field will appear below this switch, enter the resource calendar address in this field.
  10. Select Save & Exit.
  11. You will see a popup with a code. Copy that code and press OK.

  1. The browser page will open. Paste the above code into the field and press Next.

  1. Sign in as an admin. After signing in you will be asked to accept the requested permissions along with the checkbox at the bottom saying “Consent on behalf of your organization”. It will grant the consent for all the resources (In case of a change to another resource, you have to go to exchange connection in the app, enter another resource address and press Save & Exit. The app will connect to that resource and you don’t have to repeat all these steps again). Click on the checkbox and press Accept.

  1. You will see the following page that you have signed in to the app successfully.

  1. Close the browser and press back button to go back to the Meeting room schedule app.
  2. The app will check the permissions and automatically go to the main display screen.
Step 3: Fine Tuning of Exchange/Microsoft 365 (formerly known as 0365) Settings
  1. Using Powershell, you’re able to access advanced settings. The following two settings have the biggest effect on what’s shown on the app as subject of the meeting:[-AddOrganizerToSubject <$true | $false>] and [-DeleteSubject <$true | $false>]
  2. Here you’ll find a complete list of advanced settings.
  3. How to access powershell? Check this documentation from Microsoft.

 

Connect to Microsoft Exchange Resource calendars

Step 1: for Exchange: Check .asmx link for your meeting room. (You’ll need it in Step 2)
  1. Try https://yourserver/EWS/Exchange.asmx in your browser. It should ask for credentials.
  2. If the link above does not work, read this article to know about getting the .asmx link for your resource.
Step 2: Connect to Meeting Room Schedule.
  1. Install Meeting Room Schedule in your android device.
  2. Tap and select the option Settings from the top right of the main screen.
  3. From the list of options, select Calendar connection.
  4. Select the option Exchange (read the instructions on the screen for more help).
  5. Enter the domain in the first field. For example, yourcompany.com.
  6. Enter the delegate/service account credentials.
  7. Enter the exchange server URL (.asmx) obtained from step 1.
  8. Turn on the switch Use delegate/service account.
  9. A new field will appear below this switch, enter the resource calendar address in this field.
  10. Select Save & Exit to go to the main display screen.
Step 3: Fine Tuning of Exchange/Microsoft 365 (formerly known as 0365) Settings
  1. Using Powershell, you’re able to access advanced settings. The following two settings have the biggest effect on what’s shown on the app as subject of the meeting:[-AddOrganizerToSubject <$true | $false>] and [-DeleteSubject <$true | $false>]
  2. Here you’ll find a complete list of advanced settings.
  3. How to access powershell? Check this documentation from Microsoft.

For more information please visit these links:

https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/delegate-access-and-ews-in-exchange

https://docs.microsoft.com/en-us/Exchange/policy-and-compliance/ediscovery/assign-permissions?view=exchserver-2019

https://gsexdev.blogspot.com/2012/11/using-ediscovery-to-search-mailboxes.html

 

“>