Configuring Office 365 for scheduling using app permissions
The VMR Scheduling for Exchange feature (also known as Secure Scheduler for Exchange) allows you to create an add-in that enables Microsoft Outlook desktop and Web App users in Office 365 or Exchange environments to quickly and easily add a Pexip VMR to their meeting invitations, enabling any meeting to be held over video.
To enable users to schedule meetings in single-use VMRs in an Office 365 environment you must first complete the following steps, described in more detail in the sections that follow:
- Creating an equipment resource. This resource is added as an attendee to all meetings scheduled using the Pexip add-in.
- Configuring the equipment resource.
- Creating an app registration, used by the scheduling service.
- Creating a management scope, which permits the app to impersonate the members of the scheduling distribution group.
PowerShell commands are provided for some steps; parameters to be replaced with your own relevant information are shown in the format <your info here>.
Prerequisites
Before you start, ensure you can access:
- your Office 365 Admin Center: https://portal.office.com/adminportal/home#/homepage.
-
Either:
- the Azure portal at https://portal.azure.com, or
- the Microsoft Entra admin centre at https://entra.microsoft.com/.
You also need to have a remote PowerShell session to your Exchange server. See these Microsoft articles about connecting to Exchange online and Microsoft 365 with PowerShell for more information.
In this step you create an equipment resource used by VMR Scheduling for Exchange. This resource is added as an attendee to all meetings scheduled using the Pexip add-in. The scheduling service monitors the equipment resource's mailbox, processes all meeting requests sent to it, and schedules the meetings as appropriate.
The equipment resource is added as a resource attendee to all VMR Scheduling for Exchange meetings. Users will see replies from this resource when it accepts or rejects a meeting request.
Each equipment resource can be used by only one VMR Scheduling for Exchange Integration. If you have separate test and development environments, you must use a different equipment resource for each.
Previously we recommended using a room resource, but this may cause issues when using the Room Finder tool. Thus, we now recommend using an equipment resource.
You can create an equipment resource using either the Office 365 admin portal or PowerShell, as follows:
Microsoft 365 | PowerShell |
---|---|
To create the equipment resource via the Microsoft 365 admin portal:
The equipment resource now appears in the list of resources. |
This command creates an equipment resource with the specified Name, Alias and Display Name. Name and Display Name should be the same, and will appear as the location of any meeting requests, and as a recipient. The Alias (also known as the mail nickname) is used as the email address. New-Mailbox -Equipment -Name "<Equipment Name>" -Alias "<Equipment Alias>" -DisplayName "<Equipment Name>" For example: New-Mailbox -Equipment -Name "Pexip Scheduling Service" -Alias pexip.scheduling -DisplayName "Pexip Scheduling Service" |
In this step you configure calendar processing to disable automatic processing for the equipment resource, so that the processing can be done by the scheduling service. You must also configure it to permit conflicts, because meetings may be scheduled at the same time by different users. You can optionally hide the resource mailbox's availability to improve the usability of the Scheduling Assistant.
Calendar processing
This configuration is done using the following PowerShell command:
Set-CalendarProcessing -Identity "<email_of_equipment_resource>" -AutomateProcessing None -AllowConflicts $true -BookingWindowInDays 1080 -MaximumDurationInMinutes 0 -AllowRecurringMeetings $true -EnforceSchedulingHorizon $false -ScheduleOnlyDuringWorkHours $false -ConflictPercentageAllowed 100 -MaximumConflictInstances 2147483647
To verify that the above command has configured everything correctly, use the PowerShell command:
Get-CalendarProcessing -Identity "<email_of_equipment_resource>" | Format-List
The output should look something like this:
Hiding resource availability in scheduling assistant
When viewing meetings in Outlook's Scheduling Assistant, the equipment resource and its availability will appear in the list of attendees. Because the same equipment resource is used for all scheduled meetings, it may show as unavailable if there are other meetings scheduled at the same time, which may be confusing to users.
To avoid this, you can hide the availability of the equipment resource's mailbox, so that it is always shown as "unknown". This is done using the PowerShell command:
Set-MailboxFolderPermission -Identity "<email_of_equipment_resource>:\Calendar" -User Default -AccessRights None
More information
For more information on these commands, see Microsoft help:
- Set-CalendarProcessing command: https://learn.microsoft.com/en-us/powershell/module/exchange/set-calendarprocessing
- Get-CalendarProcessing command: https://learn.microsoft.com/en-us/powershell/module/exchange/get-calendarprocessing
-
Set-MailboxFolderPermission command: https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission
In this step, you create a Microsoft Entra ID app registration used by VMR Scheduling for Exchange.
You must use the settings from this app registration when configuring the integration with the Exchange server OAuth options.
Creating a new app registration
-
Log in to either:
- the Azure portal at https://portal.azure.com, and under Azure services select . From the side panel select .
- the Microsoft Entra admin centre at https://entra.microsoft.com/, and from the side panel select .
- Select .
-
In the Register an application panel, enter the following options:
- Name: this can be anything you wish. In our example we have used Pexip Scheduling app permissions.
- Supported account types: for most customers, Accounts in this organizational directory only (... only - Single tenant) will be appropriate.
- Redirect URI: leave blank.
-
Select
.A new panel opens where you can configure your application.
-
From the Overview page, note the following:
- Display name. You will need this later to search for the app.
- Application (client) ID: used when configuring the management scope and when configuring Pexip Infinity.
-
Select the OAuth 2.0 token endpoint (v2) value. You will need to enter this as the OAuth token endpoint when configuring Pexip Infinity:
tab and copy theEnsure that you use the URL for ... endpoint (v2), not ... endpoint (v1).
- From the panel on the left, select .
-
Select
: -
From the Request API permissions panel, select , search for Office 365 Exchange Online and select it:
-
Select Application permissions, and from the Select permissions list, expand Other permissions and select full_access_as_app:
The full_access_as_app permission now shows in the list of API permissions. Admin consent required is Yes, and Status is Not granted for <tenant name>:
We recommend that you do not grant admin consent. Doing so gives the app permission to access every mailbox in your organization. Instead, we recommend you create a Management Scope to restrict the app's access to the equipment resource and scheduling users' mailboxes only.
Creating a client secret
-
From the side panel, select Certificates & secrets and select the Client secrets tab. Select :
-
Enter a Description and select an Expires option, and select .
The maximum duration before expiry is 24 months. When this secret expires you will need to add a new one, and update the Pexip Infinity config accordingly.
-
The new client secret appears in the list. Copy and save the Value. You will need to enter this as the OAuth client secret when configuring Pexip Infinity:
In this step you configure a management scope which you use to specify which mailboxes the app can impersonate.
These steps are required if you have not granted admin consent when adding permissions for the app. If you have granted admin consent, which we do not recommend, the app will already have access to every mailbox in your organization.
As a minimum, the app requires permission to access the equipment resource mailbox. We also recommend that the app is given permission to access all users who will be using VMR Scheduling for Exchange as this will allow meeting instructions to be added to meetings which were created while the Management Node was offline. For more information about how VMR Scheduling for Exchange uses EWS Impersonation, see Using application impersonation.
Copy the app's Enterprise Object ID
First you must obtain the Enterprise Object ID of your app. To do this:
-
Log in to either:
- the Azure portal at https://portal.azure.com, and under Azure services select . From the side panel select .
- the Microsoft Entra admin centre at https://entra.microsoft.com/, and from the side panel select .
- Search for and select the app.
-
Copy and save the Object ID. When creating the management scope, use this as the app's Enterprise Object ID:
Creating a distribution list
The easiest way to apply the management scope to all VMR Scheduling for Exchange users is to use a group in the form of a distribution list. This group should include the equipment resource mailbox as well as all users whose mailboxes should be accessed by the scheduling app.
To create a distribution list:
- Log in to the Microsoft 365 admin center at https://admin.microsoft.com/.
- From the side panel, select Teams & Groups > Active teams & groups and select the Distribution list tab.
-
Select
: - Follow the steps to give the list a name and assign owners and members. Ensure that you add all users, as well as the equipment resource mailbox, to the list.
-
Assign an email address to the new group. You'll use this in the next step, creating a management scope.
We recommend that you do not allow people outside your organization to send email to the Distribution group:
Creating and applying the management scope
We recommend that you use combined PowerShell commands to create and configure the management scope. This allows you to use variables, thus reducing possible copy and paste errors.
For information on connecting to Exchange Online using PowerShell, see https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell.
For the following PowerShell command, you must assign values specific to your deployment to the following variables:
- $app_id: the app's Application (client) ID noted down when creating the app registration.
- $enterprise_object_id: the app's Enterprise Object ID.
- $scheduling_dist_list_email: the email of the distribution list created earlier, whose members you want the scheduling service to be able to impersonate.
You also assign names for the following:
- $service_principal_to_create
- $management_scope_to_create
- $management_role_assignment_to_create
Run the following PowerShell, replacing our examples with your own:
$app_id = "<Application (client) ID>" $enterprise_object_id = "<Enterprise Object ID>" $scheduling_dist_list_email = "<distribution list email address>" $service_principal_to_create = "Pexip VMR Scheduling SP" $management_scope_to_create = "Pexip VMR Scheduling MS" $management_role_assignment_to_create = "Pexip VMR Scheduling MRA" New-ServicePrincipal -AppId $app_id -ObjectId $enterprise_object_id -DisplayName $service_principal_to_create $pexip_scheduling_group = Get-DistributionGroup -Identity $scheduling_dist_list_email $pexip_scheduling_group_dn = $pexip_scheduling_group.DistinguishedName $restriction_filter = "MemberOfGroup -eq ""$pexip_scheduling_group_dn""" New-ManagementScope -Name $management_scope_to_create -RecipientRestrictionFilter $restriction_filter New-ManagementRoleAssignment -Name $management_role_assignment_to_create -App $service_principal_to_create -Role "Application EWS.AccessAsApp" -CustomResourceScope $management_scope_to_create
When you configure the associated VMR Scheduling for Exchange Integration, you'll need to provide the following information from Azure:
-
Application (client) ID: this was generated for you by Azure when you created the app registration:
You can find this again by going to Application (client) ID.
and selecting the app registration. It is shown on the overview page underYou must enter this as the OAuth client ID when configuring the integration.
-
OAuth client secret: this was generated for you by Azure when you created the app registration.
You can only view the value immediately after creation.
You must enter this value as the OAuth client secret when configuring the integration.
-
OAuth 2.0 token endpoint (v2): this was generated for you by Azure when you created the app registration:
You can find this again by going to to OAuth 2.0 token endpoint (v2).
and selecting the app registration. Select the tab and copy the value underYou must enter this value as the OAuth token endpoint when configuring the integration.
Viewing the equipment resource's mailbox
There may be occasions, such as when troubleshooting, that you want to view the equipment resource's mailbox or calendar. To do this, you first need to assign full access to the equipment resource's mailbox to a delegate account, and then view the mailbox or calendar using the delegate account. (The delegate account could be, for example, an administrator's account.)
Next steps
- Configuring Pexip Infinity to integrate with your Microsoft Exchange deployment and create the VMR Scheduling for Exchange add-in.
- Making the add-in available to users within your Microsoft Exchange deployment.