The MyTimetable calendar push integration is able to connect to a user's calendar using service accounts. This page describes how to create a service account and how to grant calendar permissions to this service account. MyTimetable will then be able to access calendars without explicit consent of a user.
This page applies to both Microsoft Exchange (on-premises) and Microsoft Office 365.
Table of Contents
Office 365 / Azure AD prerequisites
The following installs are required when managing Office 365 / Azure AD through Powershell.
The Microsoft Online Service Sign-in Assistant for IT Professionals RTW.
The Azure AD Module for Windows PowerShell:
You must be a tenant admin on your Office 365 tenant to run the cmdlets.
Creating a service account
A service account is needed to access the user's mailboxes. An account can be created in your on-premises Active Directory, or in Azure AD.
On-premises Active Directory
Using Active Directory Users and Computers
- Add a new user in the OU where you would like to place the service account.
- Enter a username, for example "sa-mytt-exch@eveoh.onmicrosoft.com"
- Enter a password for the service account and make sure the password does not expire.
Using Powershell
- Create a new AD user using the New-ADUser cmdlet. Replace the parameters to match your situation and preferences:
PS C:\> New-ADUser -Name "SAMyTTExch" -DisplayName "MyTimetable Exchange Service Account" -UserPrincipalName "sa-mytt-exch@dev.eveoh.local" -AccountPassword (Read-Host -AsSecureString "Password") -PasswordNeverExpires $true -ChangePasswordAtLogon $false -CannotChangePassword $true -AccountExpirationDate $null -Enabled $true -Path "CN=Users,DC=dev,DC=eveoh,DC=local" Password: *******
Azure AD
Using the Azure Management Portal
- Visit the Microsoft Azure Management Portal at https://portal.azure.com, using the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use.
- Click "Browse all" to browse all resources.
- Click "Activity Directory". You will now be redirected to the classic Azure Management Portal.
- Click the Active Directory you would like to manage.
- Click "Add user" in the bottom bar.
- Select "New user in your organisation" as type of user, and enter a username (e.g. sa-mytt-exch).
- Enter a first name, last name and display name. Select "User" as role. Do not select "Enable Multi-Factor Authentication".
- Click "Create" to assign a temporary password. Write down the password.
- Logout from the Azure Management Portal.
- Go to https://login.microsoftonline.com/
- Login in using the account you have just created, and set a password for the service account.
Using Powershell
Create a service account using the following Powershell command. Of course you can also create an account in the Azure Portal.
- Open the Windows Azure Active Directory Powershell prompt
- Connect to Microsoft Online Services using your tenant admin account:
PS C:\> Connect-MsolService
- Create the service account. Replace the "UserPrincipalName" and "Password" parameters to match your situation and preferences:
PS C:\> New-MsolUser -DisplayName "MyTimetable Exchange Service Account" -UserPrincipalName "sa-mytt-exch@eveoh.onmicrosoft.com" -Password "xxx" -PasswordNeverExpires $true -StrongPasswordRequired $true
Assigning an Exchange Online license (Office 365 only)
The service account needs to have a Exchange Online license assigned.
This step is only required when using Microsoft Office 365
Using the Office 365 Admin portal
- Open the Office 365 Admin portal.
- Click "Users" -> "Active Users".
- Click the service account you have just created.
- In the right bar, find "Assigned license" and click "Edit".
- Click the license you would like to assign. Make sure "Exchange Online" is checked.
Using Powershell
- Open the Windows Azure Active Directory Powershell prompt
- Connect to Microsoft Online Services using your tenant admin account:
PS C:\> Connect-MsolService
- List your Office 365 plans. Pick the AccountSkuId you would like to use.
PS C:\> Get-MsolAccountSku AccountSkuId ActiveUnits WarningUnits ConsumedUnits ------------ ----------- ------------ ------------- Eveoh:DEVELOPERPACK 1 0 1 Eveoh:ENTERPRISEPACK 5 0 2
- List all service plans that are included in your Office 365 plan. In this case, the EXCHANGE_S_ENTERPRISE service plan refers to Exchange Online.
PS C:\> Get-MsolAccountSku | Where-Object {$_.AccountSkuId -eq "Eveoh:ENTERPRISEPACK"} | ForEach-Object {$_.ServiceStatus} ServicePlan ProvisioningStatus ----------- ------------------ INTUNE_O365 PendingActivation YAMMER_ENTERPRISE PendingInput RMS_S_ENTERPRISE Success OFFICESUBSCRIPTION Success MCOSTANDARD Success SHAREPOINTWAC Success SHAREPOINTENTERPRISE Success EXCHANGE_S_ENTERPRISE Success
- We will now assign an Office 365 license with only the Exchange Online service plan selected. Since we can only assign a plan and all service plans disabled, we first create a object reference that holds all disabled service plans. After that, we assign the license to the service account.
PS C:\> $O365Licences = New-MsolLicenseOptions -AccountSkuId Eveoh:ENTERPRISEPACK -DisabledPlans INTUNE_O365, YAMMER_ENTERPRISE, RMS_S_ENTERPRISE, OFFICESUBSCRIPTION, MCOSTANDARD, SHAREPOINTWAC, SHAREPOINTENTERPRISE PS C:\> Set-MsolUserLicense -UserPrincipalName "sa-mytt-exch@eveoh.onmicrosoft.com" -AddLicenses "Eveoh:ENTERPRISEPACK" -LicenseOptions $O365Licences
Creating a service account security group
In Active Directory, it is recommended to create a security group containing the previously created service account. Microsoft throttles the number of requests allowed to Exchange Web Services on a per account basis. By using multiple service accounts, we are able to scale up the number of requests to EWS. In the next step, we will delegate calendar permissions to a security group, instead to one or multiple service accounts.
On-premises Active Directory
Using Active Directory Users and Computers
- Add a new group in the OU where you would like to place the security group:
- Add the service account to the security group:
Using Powershell
- Create a new AD security group using the New-ADUser cmdlet. Replace the parameters to match your situation and preferences:
PS C:\> New-ADGroup -Path "CN=Users,DC=dev,DC=eveoh,DC=local" -Name "Service Accounts MyTimetable Exchange" -GroupScope Global -Description "Service Accounts MyTimetable Exchange"
- Add the service account to the security group:
PS C:\> Add-ADGroupMember -Identity "CN=Service Accounts MyTimetable Exchange,CN=Users,DC=dev,DC=eveoh,DC=local" -Members "CN=SAMyTTExch,CN=Users,DC=dev,DC=eveoh,DC=local"
Azure AD
Using the Azure Management Portal
- Visit the Microsoft Azure Management Portal at https://portal.azure.com, using the credential of your Microsoft tenant that has the subscription to Office 365 you wish to use.
- Click "Browse all" to browse all resources.
- Click "Activity Directory". You will now be redirected to the classic Azure Management Portal.
- Click the Active Directory you would like to manage.
- Click "Groups" in the top menu bar.
- Click "Add group" in the bottom bar.
- Enter a name for the group, e.g. 'Service Accounts MyTimetable Exchange'.
- Click the newly created security group.
- Click "Add members" in the bottom bar.
- Add the service account you have just created.
Using Powershell
- Open the Windows Azure Active Directory Powershell prompt
- Connect to Microsoft Online Services using your tenant admin account:
PS C:\> Connect-MsolService
- Create the security group in the Active Directory. We will use the ObjectId in the final step.
PS C:\> New-MsolGroup -DisplayName "Service Accounts MyTimetable Exchange" -Description "Service Accounts MyTimetable Exchange" ObjectId DisplayName GroupType Description -------- ----------- --------- ----------- 9283c3b6-5817-4ecb-94e1-dfaf007ef8f4 Service Accounts MyTime... Security Service Accounts MyTime...
- Get the ObjectId of the service account:
PS C:\> Get-MsolUser -UserPrincipalName "sa-mytt-exch@eveoh.onmicrosoft.com" | select -ExpandProperty ObjectId Guid ---- f1df171f-a1dd-423f-ac27-631a752ae001
- Add the service account to the security group:
PS C:\> Add-MsolGroupMember -GroupMemberObjectId f1df171f-a1dd-423f-ac27-631a752ae001 -GroupObjectId 9283c3b6-5817-4ecb-94e1-dfaf007ef8f4
Delegating calendar permissions to service account
Finally, we need to give the service account delegated calendar permissions on the mailboxes of the users.
Office 365
We are going to connect to Office 365 using Powershell. For this, we have to set up a remote Powershell session. First, we need to check if we are allowed to do so:
- Check the current script execution policy
PS C:\> Get-ExecutionPolicy Restricted
- If we are not allowed to execute remote signed scripts, we have to change the execution policy. It might be required for Powershell to be started as Administrator.
PS C:\> Set-ExecutionPolicy RemoteSigned Execution Policy Change The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
Now we are able to start a remote Powershell session to Office 365:
- Connect to Office 365 using your tenant admin account and import the Powershell session:
PS C:\> $O365Cred = Get-Credential PS C:\> $O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection WARNING: Your connection has been redirected to the following URI: "https://ps.outlook.com/PowerShell-LiveID?PSVersion=4.0 " PS C:\> Import-PSSession $O365Session -AllowClobber WARNING: The names of some imported commands from the module 'tmp_eiaj1j0m.dcw' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. ModuleType Version Name ExportedCommands ---------- ------- ---- ---------------- Script 1.0 tmp_eiaj1j0m.dcw {Add-AvailabilityAddressSpace, Add-DistributionGroupMember...
- Select the accounts you want to delegate and store them in an object. It is also possible to filter them on OU.
PS C:\> $mailboxes = Get-Mailbox -Resultsize Unlimited
TODO
Exchange on-premises
TODO