Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The MyTimetable calendar push integration is able to connect to a user's calendar using service accounts. This page describes how to create a service account and how to grant calendar permissions to this service account. MyTimetable will then be able to access calendars without explicit consent of a user.

...

Code Block
languagepowershell
PS C:\> New-ADUser -Name "SAMyTTExch" -DisplayName "MyTimetable Exchange Service Account" -UserPrincipalName "sa-mytt-exch@eveohexch@dev.onmicrosofteveoh.comlocal" -AccountPassword (Read-Host -AsSecureString "Password") -PasswordNeverExpires $true -ChangePasswordAtLogon $false -CannotChangePassword $true -AccountExpirationDate $null -Enabled 0$true -Path "CN=Users,DC=dev,DC=eveoh,DC=local"
Password: *******

...

  • Visit the Microsoft Azure Management Portal at https://portal.azure.comusing the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use.
  • Click "Browse all" to browse all resources.
  • Click "Activity Directory". You will now be redirected to the classic Azure Management Portal.
  • Click the Active Directory you would like to manage.
  • Click "Add user" in the bottom bar.
  • Select "New user in your organisation" as type of user, and enter a username (e.g. sa-mytt-exch).
  • Enter a first name, last name and display name. Select "User" as role. Do not select "Enable Multi-Factor Authentication".
  • Click "Create" to assign a temporary password. Write down the password.
  • Logout from the Azure Management Portal.
  • Go to https://login.microsoftonline.com/
  • Login in using the account you have just created, and set a password for the service account.

...

Code Block
languagepowershell
PS C:\> $O365Licences = New-MsolLicenseOptions -AccountSkuId Eveoh:ENTERPRISEPACK -DisabledPlans INTUNE_O365, YAMMER_ENTERPRISE, RMS_S_ENTERPRISE, OFFICESUBSCRIPTION, MCOSTANDARD, SHAREPOINTWAC, SHAREPOINTENTERPRISE
PS C:\> Set-MsolUserLicense -UserPrincipalName "sa-mytt-exch@eveoh.onmicrosoft.com" -AddLicenses "Eveoh:ENTERPRISEPACK" -LicenseOptions $O365Licences

Creating a service account security group

In Active Directory, it is recommended to create a security group containing the previously created service account. Microsoft throttles the number of requests allowed to Exchange Web Services on a per account basis. By using multiple service accounts, we are able to scale up the number of requests to EWS. In the next step, we will delegate calendar permissions to a security group, instead to one or multiple service accounts.

On-premises Active Directory

Using Active Directory Users and Computers

  • Add a new group in the OU where you would like to place the security group:

Image Added

  • Add the service account to the security group:

Image Added

Using Powershell

  • Create a new AD security group using the New-ADUser cmdlet. Replace the parameters to match your situation and preferences:
Code Block
languagepowershell
PS C:\> New-ADGroup -Path "CN=Users,DC=dev,DC=eveoh,DC=local" -Name "Service Accounts MyTimetable Exchange" -GroupScope Global -Description "Service Accounts MyTimetable Exchange"
  • Add the service account to the security group:
Code Block
languagepowershell
PS C:\> Add-ADGroupMember -Identity "CN=Service Accounts MyTimetable Exchange,CN=Users,DC=dev,DC=eveoh,DC=local" -Members "CN=SAMyTTExch,CN=Users,DC=dev,DC=eveoh,DC=local"

Azure AD

Using the Azure Management Portal

  • Visit the Microsoft Azure Management Portal at https://portal.azure.comusing the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use.
  • Click "Browse all" to browse all resources.
  • Click "Activity Directory". You will now be redirected to the classic Azure Management Portal.
  • Click the Active Directory you would like to manage.
  • Click "Groups" in the top menu bar.
  • Click "Add group" in the bottom bar.
  • Enter a name for the group, e.g. 'Service Accounts MyTimetable Exchange'.
  • Click the newly created security group.
  • Click "Add members" in the bottom bar.
  • Add the service account you have just created.

Using Powershell

  • Open the Windows Azure Active Directory Powershell prompt
  • Connect to Microsoft Online Services using your tenant admin account:
Code Block
languagepowershell
PS C:\> Connect-MsolService
  • Create the security group in the Active Directory. We will use the ObjectId in the final step.
Code Block
languagepowershell
PS C:\> New-MsolGroup -DisplayName "Service Accounts MyTimetable Exchange" -Description "Service Accounts MyTimetable Exchange"
ObjectId                               DisplayName                GroupType                  Description
--------                               -----------                ---------                  -----------
9283c3b6-5817-4ecb-94e1-dfaf007ef8f4   Service Accounts MyTime... Security                   Service Accounts MyTime...
  • Get the ObjectId of the service account:
Code Block
languagepowershell
PS C:\> Get-MsolUser -UserPrincipalName "sa-mytt-exch@eveoh.onmicrosoft.com" | select -ExpandProperty ObjectId
Guid
----
f1df171f-a1dd-423f-ac27-631a752ae001
  • Add the service account to the security group:
Code Block
languagepowershell
PS C:\> Add-MsolGroupMember -GroupMemberObjectId f1df171f-a1dd-423f-ac27-631a752ae001 -GroupObjectId 9283c3b6-5817-4ecb-94e1-dfaf007ef8f4

Delegating calendar permissions to service account

...