Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The MyTimetable calendar push integration is able to connect to a user's calendar using service accounts. This page describes how to create a service account and how to grant calendar permissions to this service account. MyTimetable will then be able to access calendars without explicit consent of a user.

...

The MyTimetable calendar push integration is able to connect to a user's calendar using service accounts. This page describes how to create a service account and how to grant calendar permissions to this service account. MyTimetable will then be able to access calendars without explicit consent of a user.

Info

This page applies to both Microsoft Exchange (on-premises) and Microsoft Office 365.

...

You must be a tenant admin on your Office 365 tenant to run the cmdlets.

Global steps

XXX

Creating a service account

...

  • Visit the Microsoft Azure Management Portal at https://portal.azure.comusing the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use.
  • Click "Browse all" to browse all resources.
  • Click "Activity Directory". You will now be redirected to the classic Azure Management Portal.
  • Click the Active Directory you would like to manage.
  • Click "Add user" in the bottom bar.
  • Select "New user in your organisation" as type of user, and enter a username (e.g. sa-mytt-exch).
  • Enter a first name, last name and display name. Select "User" as role. Do not select "Enable Multi-Factor Authentication".
  • Click "Create" to assign a temporary password. Write down the password.
  • Logout from the Azure Management Portal.
  • Go to https://login.microsoftonline.com/
  • Login in using the account you have just created, and set a password for the service account.

...

Code Block
languagepowershell
PS C:\> $O365Licences = New-MsolLicenseOptions -AccountSkuId Eveoh:ENTERPRISEPACK -DisabledPlans INTUNE_O365, YAMMER_ENTERPRISE, RMS_S_ENTERPRISE, OFFICESUBSCRIPTION, MCOSTANDARD, SHAREPOINTWAC, SHAREPOINTENTERPRISE
PS C:\> Set-MsolUserLicense -UserPrincipalName "sa-mytt-exch@eveoh.onmicrosoft.com" -AddLicenses "Eveoh:ENTERPRISEPACK" -LicenseOptions $O365Licences

Creating a

...

mail-enabled universal security group

In Active Directory, it It is recommended to create a mail-enabled universal security group containing  containing the previously created service account. Microsoft throttles the number of requests allowed to Exchange Web Services on a per account basis. By using multiple service accounts, we are able to scale up increase the number of requests to EWS. In the next step, we will delegate calendar permissions to a the security group, instead to one or multiple of delegating permissions to the separate service accounts.

On-premises

...

Exchange

Using Active Directory Users and Computers

  • Add a new group in the OU where you would like to place the security group:

...

  • Add the service account to the security group:

...

Using Powershell

  • Create a new AD security group using the New-ADUser cmdlet. Replace the parameters to match your situation and preferences:
Code Block
languagepowershell
PS C:\> New-ADGroup -Path "CN=Users,DC=dev,DC=eveoh,DC=local" -Name "Service Accounts MyTimetable Exchange" -GroupScope Global -Description "Service Accounts MyTimetable Exchange"
  • Add the service account to the security group:

Office 365

Using the Azure Management Portal

  • Visit the Microsoft Azure Management Portal at https://portal.azure.comusing the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use.
  • Click "Browse all" to browse all resources.
  • Click "Activity Directory". You will now be redirected to the classic Azure Management Portal.
  • Click the Active Directory you would like to manage.
  • Click "Groups" in the top menu bar.
  • Click "Add group" in the bottom bar.
  • Enter a name for the group, e.g. 'Service Accounts MyTimetable Exchange'.
  • Click the newly created security group.
  • Click "Add members" in the bottom bar.
  • Add the service account you have just created.

Using Powershell

  • Create a new mail-enabled universal security group using the New-DistributionGroup cmdlet. Replace the parameters to match your situation and preferences:
Code Block
languagepowershell
PS C:\> AddNew-ADGroupMemberDistributionGroup -IdentityName "CN=Service Accounts MyTimetable Exchange,CN=Users,DC=dev,DC=eveoh,DC=local" -Members "CN=SAMyTTExch,CN=Users,DC=dev,DC=eveoh,DC=local"

Azure AD

Using the Azure Management Portal

  • Visit the Microsoft Azure Management Portal at https://portal.azure.comusing the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use.
  • Click "Browse all" to browse all resources.
  • Click "Activity Directory". You will now be redirected to the classic Azure Management Portal.
  • Click the Active Directory you would like to manage.
  • Click "Groups" in the top menu bar.
  • Click "Add group" in the bottom bar.
  • Enter a name for the group, e.g. 'Service Accounts MyTimetable Exchange'.
  • Click the newly created security group.
  • Click "Add members" in the bottom bar.
  • Add the service account you have just created.

Using Powershell

  • Open the Windows Azure Active Directory Powershell prompt
  • Connect to Microsoft Online Services using your tenant admin account:
Code Block
languagepowershell
PS C:\> Connect-MsolService
  • Create the security group in the Active Directory. We will use the ObjectId in the final step.
Code Block
languagepowershell
PS C:\> New-MsolGroup -DisplayName "Service Accounts MyTimetable Exchange" -Description "Service Accounts MyTimetable Exchange"
ObjectIdType Security -PrimarySmtpAddress "sa-mytt-exch-secgroup@eveoh.onmicrosoft.com" -DisplayName "MyTimetable" -MemberDepartRestriction Closed -MemberJoinRestriction Closed
Name                          DisplayName                   GroupType                     PrimarySmtpAddress
----                          -----------                  DisplayName  ---------               GroupType                  Description
------------------
Service Accounts MyTimetab... MyTimetable                   Universal, SecurityEnabled       sa-mytt-exch-secgroup@eveo...
  • As an optional step, you can hide the security group from the global address list and only accept messages from an administrator account.
Code Block
languagepowershell
PS C:\> Set-DistributionGroup -Identity "sa-mytt-----                ---------                  -----------
9283c3b6-5817-4ecb-94e1-dfaf007ef8f4   Service Accounts MyTime... Security                   Service Accounts MyTime...
  • Get the ObjectId of the service account:
Code Block
languagepowershell
PS C:\> Get-MsolUser -UserPrincipalName "sa-mytt-exch@eveoh.onmicrosoft.com" | select -ExpandProperty ObjectId
Guid
----
f1df171f-a1dd-423f-ac27-631a752ae001

...

exch-secgroup@eveoh.onmicrosoft.com" -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom admin@eveoh.onmicrosoft.com
  • Finally, add the service account to the security group:
Code Block
languagepowershell
PS C:\> Add-DistributionGroupMember -Identity "sa-mytt-exch-secgroup@eveoh.onmicrosoft.com" -Member "sa-mytt-exch@eveoh.onmicrosoft.com"

Delegating calendar permissions to the security group

Finally, we need to give the security group containing the service account(s) delegated calendar permissions on the mailboxes of the users. We assume that all users that are allowed to use the calendar integration are member of a security group.

XXXXXX

Office 365

We are going to connect to Office 365 using Powershell. For this, we have to set up a remote Powershell session. First, we need to check if we are allowed to do so:

  • Check the current script execution policy
Code Block
languagepowershell
PS C:\> Get-ExecutionPolicy
Restricted
  • If we are not allowed to execute remote signed scripts, we have to change the execution policy. It might be required for Powershell to be started as Administrator.
Code Block
languagepowershell
PS C:\> AddSet-MsolGroupMemberExecutionPolicy -GroupMemberObjectId f1df171f-a1dd-423f-ac27-631a752ae001 -GroupObjectId 9283c3b6-5817-4ecb-94e1-dfaf007ef8f4

Delegating calendar permissions to service account

Finally, we need to give the service account delegated calendar permissions on the mailboxes of the users.

Office 365

We are going to connect to Office 365 using Powershell. For this, we have to set up a remote Powershell session. First, we need to check if we are allowed to do so:

  • Check the current script execution policy
Code Block
languagepowershell
PS C:\> Get-ExecutionPolicy
Restricted
  • If we are not allowed to execute remote signed scripts, we have to change the execution policy. It might be required for Powershell to be started as Administrator.
Code Block
languagepowershell
PS C:\> Set-ExecutionPolicy RemoteSigned
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y

Now we are able to start a remote Powershell session to Office 365:

  • Connect to Office 365 using your tenant admin account and import the Powershell session:
Code Block
languagepowershell
PS C:\> $O365Cred = Get-Credential
PS C:\> $O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
WARNING: Your connection has been redirected to the following URI:
"https://ps.outlook.com/PowerShell-LiveID?PSVersion=4.0 "
PS C:\> Import-PSSession $O365Session -AllowClobber
WARNING: The names of some imported commands from the module 'tmp_eiaj1j0m.dcw' include unapproved verbs that might
make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the
Verbose parameter. For a list of approved verbs, type Get-Verb.
ModuleType Version    Name  RemoteSigned
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y

Now we are able to start a remote Powershell session to Office 365:

  • Connect to Office 365 using your tenant admin account and import the Powershell session:
Code Block
languagepowershell
PS C:\> $O365Cred = Get-Credential
PS C:\> $O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
WARNING: Your connection has been redirected to the following URI:
"https://ps.outlook.com/PowerShell-LiveID?PSVersion=4.0 "
PS C:\> Import-PSSession $O365Session -AllowClobber
WARNING: The names of some imported commands from the module 'tmp_eiaj1j0m.dcw' include unapproved verbs that might
make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the
Verbose parameter. For a list of approved verbs, type Get-Verb.
ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.0        tmp_eiaj1j0m.dcw                    {Add-AvailabilityAddressSpace, Add-DistributionGroupMember...
  • First, select all accounts to set the delegation permissions on. We assume that these accounts are grouped in a security group. In the following example, all users are in the security group "Staff". First, get the security group ObjectId
Code Block
languagepowershell
titleGet all mailboxes
PS C:\> Get-MsolGroup | Where-Object {$_.DisplayName -eq "Staff"}
ObjectId                               DisplayName                GroupType                  Description
--------                              ExportedCommands ---------- -------    ----              ---------                  -----------
64731c32-f1df-4b92-8dbe--
Script1809c23ff85b     1.0Staff        tmp_eiaj1j0m.dcw                    {Add-AvailabilityAddressSpace, Add-DistributionGroupMember...

...

Security
  • Then select all members of the security group and get their mailboxes:
 PS C:\> $mailboxes =
Code Block
languagepowershell
titleGet all mailboxes
Get mailboxes by OU
PS C:\> $mailboxes = Get-MsolGroupMember -GroupObjectId 64731c32-f1df-4b92-8dbe-1809c23ff85b | Get-MsolUser | ForEach-Object {Get-Mailbox -Resultsize UnlimitedIdentity $_.UserPrincipalName}
  • Finally, allow Editor rights for the service account security group to all selected mailboxes:
TODO
Code Block
languagepowershell
linenumbers
titleGet mailboxes by OU
true
 

 

 

 

Exchange on-premises

TODO