Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The MyTimetable calendar push integration is able to connect to a user's calendar using service accounts. This page describes how to create a service account and how to grant calendar permissions to this service account. MyTimetable will then be able to access calendars without explicit consent of a user.

...

You must be a tenant admin on your Office 365 tenant to run the cmdlets.

Global steps

XXX

...

  1. Create one or multiple service accounts, depending on the number of users using the integration.
  2. Create a mail-enabled universal security group containing the created service account(s).
  3. Delegate calendar permissions to the security group for all users using the integration.

Creating a service account

A service account is needed to access the user's mailboxes. An account can be created in your on-premises Active Directory, or in Azure AD.

On-premises

...

Exchange

Using

...

the Exchange Management Console

  • Create a new Mailbox.
  • Choose "User Mailbox" as mailbox type.

Image Added

  • Choose "New User".

Image Added

  • Enter mailbox details. As a logon name use, for example, "sa-mytt-exch-1@eveoh.onmicrosoft.com"

Image Removed

  • Enter a password for the service account and make sure the password does not expire. 

...

  • .

Image Added

  • Click Next.
  • Click Next.
  • Click New.

Using Powershell

  • Create a new AD user mailbox using the Newthe New-ADUser cmdletMailbox cmdlet. Replace the parameters to match your situation and preferences:
Code Block
languagepowershell
PS C:\> New-ADUserMailbox -NameDisplayName "SAMyTTExchMyTimetable" -DisplayNameName "MyTimetable Exchange Service Account 1" -Alias "sa-mytt-exch-1" -UserPrincipalName "sa-mytt-exch-exch@dev1@dev.eveoh.local" -AccountPasswordPassword (Read-Host -AsSecureString "Password") -PasswordNeverExpires $true -ChangePasswordAtLogonResetPasswordOnNextLogon $false
-CannotChangePassword $true -AccountExpirationDate $null -Enabled $true -Path "CN=Users,DC=dev,DC=eveoh,DC=local"
Password: Password: ********

...

Office 365

Create the account

Using the Azure Management Portal
  • Visit the Microsoft Azure Management Portal at https://portal.azure.comusing the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use.
  • Click "Browse all" to browse all resources.
  • Click "Activity Directory". You will now be redirected to the classic Azure Management Portal.
  • Click the Active Directory you would like to manage.
  • Click "Add user" in the bottom bar.
  • Select "New user in your organisation" as type of user, and enter a username (e.g. sa-mytt-exch-1).
  • Enter a first name, last name and display name (e.g. "MyTimetable"). Select "User" as role. Do not select "Enable Multi-Factor Authentication".
  • Click "Create" to assign a temporary password. Write down the password.
  • Logout from the Azure Management Portal.
  • Go to https://login.microsoftonline.com/
  • Login in using the account you have just created, and set a password for the service account.
Using Powershell

Create a service account using the following Powershell command. Of course you can also create an account in the Azure Portal.

...

Code Block
languagepowershell
PS C:\> New-MsolUser -DisplayName "MyTimetable" -Name "MyTimetable Exchange Service Account 1" -UserPrincipalName "sa-mytt-exch@eveohexch-1@eveoh.onmicrosoft.com" -Password "xxx" -PasswordNeverExpires $true -StrongPasswordRequired $true

Assigning an Exchange Online license

...

The service account needs to have a Exchange Online license assigned.

...

. After assigning a license, the service account will have a mailbox.

Using the Office 365 Admin portal
  • Open the Office 365 Admin portal.
  • Click "Users" -> "Active Users".
  • Click the service account you have just created.
  • In the right bar, find "Assigned license" and click "Edit".

...

  • Click the license you would like to assign. Make sure "Exchange Online" is checked.

Using Powershell
  • Open the Windows Azure Active Directory Powershell prompt
  • Connect to Microsoft Online Services using your tenant admin account:

...

Code Block
languagepowershell
PS C:\> $O365Licences = New-MsolLicenseOptions -AccountSkuId Eveoh:ENTERPRISEPACK -DisabledPlans INTUNE_O365, YAMMER_ENTERPRISE, RMS_S_ENTERPRISE, OFFICESUBSCRIPTION, MCOSTANDARD, SHAREPOINTWAC, SHAREPOINTENTERPRISE
PS C:\> Set-MsolUserLicense -UserPrincipalName "sa-mytt-exch-exch@eveoh1@eveoh.onmicrosoft.com" -AddLicenses "Eveoh:ENTERPRISEPACK" -LicenseOptions $O365Licences

Creating a mail-enabled universal security group

It is recommended to create a mail-enabled universal security group containing the previously created service account. Microsoft throttles the number of requests allowed to Exchange Web Services on a per account basis. By using multiple service accounts, we are able to increase the number of requests to EWS. In the next step, we will delegate calendar permissions to the security group, instead of delegating permissions to the separate service accounts.

On-premises Exchange

Using

...

  • Add a new group in the OU where you would like to place the security group:

...

the Exchange Management Console

  • Create a new Distribution Group.
  • Select "New Group":

Image Added

  • Select "Security" as group type and enter a name and alias (e.g. sa-mytt-exch-secgroup):

Image Added

  • Click Next.
  • Click New.
  • Click Finish.
  • Open the properties of the newly created distribution group.
  • Add the service account created in the previous step as a member:

Image Added

  • Make sure Membership Approval is set to "Closed" for both options:

Image Added

  • Hide the distribution group from the Exchange address lists:

Image Added

Using Powershell

  • Create a new mail-enabled universal security group using the New-DistributionGroup cmdlet. Replace the parameters to match your situation and preferences:
Code Block
languagepowershell
PS C:\> New-DistributionGroup -Name "Service Accounts MyTimetable Exchange" -Type Security -PrimarySmtpAddress "sa-mytt-exch-secgroup@dev.eveoh.local" -DisplayName "MyTimetable" -MemberDepartRestriction Closed -MemberJoinRestriction Closed
Name                          DisplayName                   GroupType                     PrimarySmtpAddress
----                          -----------                   ---------                     ------------------
Service Accounts MyTimetab... MyTimetable                   Universal, SecurityEnabled    sa-mytt-exch-secgroup@dev....
  • As an optional step, you can hide the security group from the global address list.
Code Block
languagepowershell
PS C:\> Set-DistributionGroup -Identity "sa-mytt-exch-secgroup@dev.eveoh.local" -HiddenFromAddressListsEnabled $true
  • Finally, add the service account to the security group:

...

  • :
Code Block
languagepowershell
PS C:\> Add-DistributionGroupMember -Identity "sa-mytt-exch-secgroup@dev.eveoh.local" -Member "sa-mytt-exch-1@dev.eveoh.local"

Office 365

Using the Azure Management Portal

  • Visit the Microsoft Azure Management Portal at https://portal.azure.comusing the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use.
  • Click "Browse all" to browse all resources.
  • Click "Activity Directory". You will now be redirected to the classic Azure Management Portal.
  • Click the Active Directory you would like to manage.
  • Click "Groups" in the top menu bar.
  • Click "Add group" in the bottom bar.
  • Enter a name for the group, e.g. 'Service Accounts MyTimetable Exchange'.
  • Click the newly created security group.
  • Click "Add members" in the bottom bar.
  • Add the service account you have just created.

Using Powershell

  • Create a new mail-enabled universal security group using the New-DistributionGroup cmdlet. Replace the parameters to match your situation and preferences:

...

  • As an optional step, you can hide the security group from the global address list and only accept messages from an administrator account.
Code Block
languagepowershell
PS C:\> Set-DistributionGroup -Identity "sa-mytt-exch-secgroup@eveoh.onmicrosoft.com" -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom admin@eveoh.onmicrosoft.com
  • Finally, add the service account to the security group:
Code Block
languagepowershell
PS C:\> Add-DistributionGroupMember -Identity "sa-mytt-exch-secgroup@eveoh.onmicrosoft.com" -Member "sa-mytt-exch-exch@eveoh1@eveoh.onmicrosoft.com"

Delegating calendar permissions to the security group

Finally, we need to give the security group containing the service account(s) delegated calendar permissions on the mailboxes of the users. We assume that all users that are allowed to use the calendar integration are member of a security group.

XXXXXX

Office 365

We are going to connect to Office 365 using Powershell. For this, we have to set up a remote Powershell session. First, we need to check if we are allowed to do so:

...