1. Knowledge Base
  2. Getting started!
  3. Step 1: Booking System Preparation

Booking System Preparation - M365 - RBAC

This article will cover the process of preparing Office 365 for Humly Control Panel integration.

If you have Humly Control Panel already configured with the old application impersonation and want to switch to RBAC, please skip all steps and do only the application role based control steps 

Microsoft announced that they will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in May 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online.
More details can be found in this link
Retirement of RBAC Application Impersonation in Exchange Online

Global Administrator permissions are needed in order to complete the preparation

Create a Service Account

The service account will be used for authenticating and carrying the requests between the Humly Control Panel and Office 365 via EWS. Therefore we recommend creating a dedicated account for this purpose.

To create the service account, follow the below steps, please note that you will need the Administrator permission to do these steps.

1. Go to https://admin.microsoft.com/ and login with your admin account.
From the menu, click Users, then add a Active user. Fill in the required fields and press Next

Sk_rmavbild_2021-09-20_kl._13.21.25.png

2. Select the location of the user and assign a product license for the use, then press Next

O365_Basics2.png

  • The Service account needs a mailbox and therefore the lowest possible license is either Exchange Online or Microsoft 365 Business Basic.
  • It does not work to have a Teams room account as the service account. Teams room implementation is done after the initial connection is made to Humly Control Panel and will be added as a normal resource room in Building and structures.

3. Leave the optional setting as default at this stage and click Next.

4. A summary window will appear showing the information about the created account, check the information and click "Finish adding".

Sk_rmavbild_2021-09-20_kl._13.19.21.png

5. Allow the process a few minutes, then the user is ready to be used.

Create Room mailboxes

A "Room mailbox" can also be called resource mailbox. It is the calendar that is being used to book the room, for example from Outlook.

Humly Control Panel will sync the data of the room mailboxes calendars so the meeting will be populated via HCP to the HRD devices outside the meeting rooms.

To Create Room mailbox, follow the below steps

1. Go to https://admin.exchange.microsoft.com/and login with your admin account.

From the Exchange admin center, navigate to Recipient and then click on Resources. Press Add a room resource. 

2. Enter the Room Name and specify the resource account's Email address. You can add other room settings here as well. When finished press Create.

If you want to create more resources, repeat the steps.

It is highly recommended to configure the resource rooms with the below cmdlet using PowerShell:

This command will remove organizer from being the subject/title of meetings, as well as making sure private meetings from M365 stays as private meetings in Humly.

Set-CalendarProcessing <room1@domain.com> -AddOrganizerToSubject $False -DeleteComments $False -DeleteSubject $False -RemovePrivateProperty $false

 

Create Room List Using PowerShell

Creating Room Lists is an optional step, however, it will enhance the experience for the outlook users and make it easier for them to find available rooms. In Addition, you can import a room list to HCP which might have many rooms.

1. Connect to your Exchange Online PowerShell

Connect to your Exchange Online PowerShell via Windows PowerShell, for more details on how to connect to Exchange Online PowerShell, please refer to the below documents from Microsoft:
Connect to Exchange Online PowerShell
Typically the below command can be used to connect to Microsoft 365 PowerShell, please open PowerShell as an administrator.
## On the "Execution Policy Change" question type "Y" and press "Enter".
Set-ExecutionPolicy RemoteSigned

## This will prompt a pop-up asking for credentials.

## Enter the username and password for your Office 365 admin account and click "Ok".
$UserCredential = Get-Credential

## Create session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

## Import session
Import-PSSession $Session

## Make sure Exchange Online Module is installed for the below cmdlet to work
Import-Module ExchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName <UPN>

Replace the <UPN> by the office global admin account, an example below:

Connect-ExchangeOnline -UserPrincipalName support@humly.dev

The below commands will help you to create a single room list and then add rooms, or create a single room list that holds all existing rooms in one go in Microsoft 365 using Windows PowerShell:

2. Creates a new room list named “HCP Demo”:

New-DistributionGroup -Name "HCP Demo" -RoomList


3.
Add the room mailbox we have created in the previous step “the-lab@certus.info” to the new room list “HCP Rooms”

Add-DistributionGroupMember -Identity "HCP Demo" -Member the-lab@certus.info


4.
Steps one and two can be replaced based on the user need by one command to create the room list and add the members directly.

New-DistributionGroup -Name "Roomlist-name" -Members room1@domain.com,room2@domain.com,room3@domain.com


5.
Now the Room mailbox is ready to be used, to get all room lists from PowerShell please use the below command.

Get-DistributionGroup -ResultSize Unlimited | Where { $_.RecipientTypeDetails -eq "RoomList" } | Format-Table

 

Keep the PowerShell session opened as you will need it later

 

Application Registration and API Permissions

In this section, we will prepare Azure Active Directory for HCP, first, you need to register a custom application, please follow the below steps

1. Login to Microsoft Entra admin center. To register HCP application in Azure, click on App Registration to open the application registration blade, then click New Registration.

2. Select the name for your application and click Register

3. Once the application is created, the summary page should appear, make a note of Application (client) ID and Directory (tenant) ID as it will be needed later when connecting Humly Control Panel to Microsoft 365

4. Go to Enterprise Apps section, search the app you created in the previous steps (Register an application), go to its properties and Object ID from there (this is different from the object id from “App Registration” page). 
Save this as “Object Id” for use with Exchange PowerShell in the coming steps. 



5. If  you want to allow login using single sign on SSO, you should whitelist your Humly Control Panel URL in the application, you can do this by heading to Authentication, then click  Add a platform and select Single-page application. Type in your cloud URL or on prem URL followed by /sso/redirect, examples below 

Single-page application:
https://26364.humly.cloud/sso/redirect
https://localhost:3002/sso/redirect

https://hcp-server-url:3002/sso/redirect

6. Configure Client secret by clicking on Certificates &, secrets then click New client secret, enter the description you want in the newly opened blade, and set the expiry as per the policy you have. Please note that the secret should be valid for HCP to work, once expired, meetings from Microsoft to Humly control panel will stop syncing so you will have to replace the expired client secret with a new one and reauthenticate once again to Microsoft.

  • Only client secret Value is supported with Humly integration. Secret ID is not supported and will give you an error when trying to connect.
  • HCP will stop syncing with Microsoft 365 once the secret key is expired, make sure you select the correct expiry time and renew the key before it do expire.

 

7. Go to the App registration and select API permissions setting and click the Add a permission button, then select Microsoft Graph

8. In the permission selection page, select Delegated Permission, which will open the list of permissions for Delegated access. Expand EWS and select EWS.AccessAsUser.All. Click the Add permissions button.


Application Role Based Access Control

In this section, you will configure RBAC for Applications in Exchange Online, which allows admins to grant permissions to an application that's independently accessing data in Exchange Online. This grant can be paired with a scope of access (resource scope) to specify which mailboxes an app can access. You will need the PowerShell session you have started earlier in this process 

If you have added a sender email in Humly control panel, which is an optional step, then that account must be a mailbox which is in scope of RBAC impersonation. It should be set up the same way as the service account with the management scope.

If you are interested in restricting the impersonation scope to only allow X amount of resource rooms only, then please follow this guide.

  1. Create a management scope

    The management scope will be used in the next step to restrict the impersonation right. The below command will limit the scope to resources (room and equipment mailboxes)
    New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter { RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox" -or PrimarySmtpAddress -eq "service-account@domain.com"}
  2. Create a service principle - RBAC

    Create a service principle to grant permissions to an application you have created in the first step access to the data in Exchange Online, you will need to provide Application ID and the Object ID
    Replace the <name> with a name of your choice for the role.
    New-ServicePrincipal -AppId <Client Application ID in AAD> -ObjectId <Service principal object ID in AAD> -DisplayName <name>
  3. Assign the management role - RBAC

    In this step you will assign the role you have created to the service account, you will need the Application ID, and you should use the same scope name you have created in step  two (Management Scope)
    New-ManagementRoleAssignment -Name "ResourceImpersonation" -Role "Application EWS.AccessAsApp" -App <Client Application ID in AAD> -CustomResourceScope "ResourceMailboxes"