Authentication and primary setup in Exchange import module

Introduction

This guide is primarily about how to prepare Exchange to work optimally with the booking system and how to set up authentication.

There are three scenarios in which the Exchange module can import calendar data, provided that there is EWS (Exchange Web Service) access to the installation.

Overview:

1. Correctly created RoomList group in Exchange Management Shell (PowerShell)
2. Simple setup without impersonation rights to the premises (Room Mailboxes).
   Setup with impersonation rights on the premises (Room Mailboxes)
   An important note (about topic and organizer settings in Exchange)
3. Creating a Service Account in Office 365

Setting up point 2 (Not possible on versions before Exchange 2010)

Setting up item 2 requires that a RoomList distribution group has been (or will be) created in Exchange as well as a service account user with technical access to Exchange.

This can easily be a user created solely for the purpose of importing calendar data into the booking system. For the need in Q-Cal, it is extra good if a purpose-dedicated RoomList is created as below (This can also be changed in the Exchange module, of which under the item Local list user):

Note In the examples below, I use the identity infoscreens with "s" on the suffix.

In PowerShell:

New-DistributionGroup -PrimarySmtpAddress " infoscreens@ditfirma.dk" -Name "Info Screen List" -DisplayName "Info Screen List"

After creating In PowerShell, the distribution group must be set as RoomList:Efter oprettelse I PowerShell, skal distributionsgruppen sættes som RoomList:

Set-DistributionGroup -Identity "infoscreens@ditfirma.dk" -RoomList

To assign rooms (Room Mailboxes) to the distribution list, use the following command on each local mailbox:

Add-DistributionGroupMember -Identity "infoscreens@ditfirma.dk" 
 -Member "modelokale@ditfirma.dk"

If you do not want to continue with Setup with impersonation rights, use the setup below on app.q-cal.net.

Example on configuration in på app.q-cal.net

Setup with impersonation rights

In this setup, a Service Account must be used for login, which will have access to the premises' individual calendars. Let us assume as an example that this account is called q-cal@ditfirma.dk with password 12345678.

Note: NordicScreen does not recommend using easy passwords for this type of setup. Feel free to use a minimum of 16 characters with a mixture of uppercase and lowercase letters, characters and numbers.

First create a restriction filter in PowerShell:

New-ManagementScope -Name "Q-Cal Impersonation Scope" 
 -RecipientRestrictionFilter { RecipientTypeDetails -eq "RoomMailbox" }

If errors occur in this connection, eg on online versions of Exchange, the following may need to be performed first: (The command allows you to create security filters and please note: the execution of it may take up to several minutes)

Enable-OrganizationCustomization

Then the scope above must be assigned to the service account q-cal@ditfirma.dk:

New-ManagementRoleAssignment –Name "RoomSync-RoomImpersonation" 

–Role ApplicationImpersonation –User "q-cal@ditfirma.dk" 

–CustomRecipientWriteScope "Q-Cal Impersonation Scope"

Example on setup in app.q-cal.net

For more information on handling Room Mailboxes:

Impersonation and EWS in Exchange

Exchange Server 2010 Room Mailboxes Step by Step Guide

A Look at Exchange Server 2013 Resource Mailboxes

Exchange2013: Create and manage room mailboxes and Room lists

Why Robin uses Impersonation instead of Delegate Access

Resource mailbox's calendar shows the organizer's name instead of the subject in an Exchange Server environment

Important

We have seen examples of Exchange inserting the meeting author's name instead of the subject field. This is not a bug, but a feature that can be turned on and off. To turn it off, you can do the following in PowerShell on each of your local mailboxes.

Set-CalendarProcessing -Identity <RESOURCEMAILBOX> -DeleteSubject $False 

-AddOrganizerToSubject $False

Creating a Service Account in Office 365

For those who need to know more about setting up a separate service account in Office 365 (Online), this is quite simple.

First, log in as an administrator on your Office subscription. This administrator must have an overriding permission to create users and assign roles.

When you are logged in, you will e.g. be greeted with the following:

Below, click on Admin, after which the following page will appear:

Then click on "Add user" and fill in the page (Basic) as below.
(Username is the same as the username you will later log in with).

Remember:
1. Create a long password, if necessary. use Google Chrome's 'Suggest Password' feature which provides a relatively secure code and possibly add some non-alphabetical symbols.
2. Uncheck "Require user to change their password the first time they log in"

Under Product licenses, select Denmark in location and tick "Create user without product license (not recommended)".

Under (1) "Optional Settings", open "Roles" and uncheck "User", but instead assign the role "Exchange Administrator" and "Service Administrator".

The window will then look like this:

If this can be approved, select "Finish Add-on" and you are done creating it yourself.

Then go back to the "Microsoft 365 Administration" admin panel and tap "Exchange" under "Administration" in the menu on the left.

In the "Exchange Administration" window, select "Permissions".

Sources:

https://www.sharepointsapiens.com/blog/how-to-configure-a-service-account-in-office-365/

https://stackoverflow.com/questions/54635471/why-does-ews-api-returns-errornonexistentmailbox-error

Simple mailbox with access to calendar data

This scenario assumes a simple mailbox account (ie not a Service Account). This account must be invited to all meetings to be displayed on the info screen.

Example in app.q-cal.net

Example of setting the Specific mailbox if only one calendar is accessible.