Versions Compared

Version Old Version 5 New Version 6
Changes made by

Etienne Nijs

Etienne Nijs

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document describes the actions that need to be performed in Microsoft Exchange and Microsoft Azure to implement the Reservation Sync Interface for Spacewell Workplace Management.

...

Table of Contents
minLevel1
maxLevel6
outlinefalse
typelist
printablefalse

1. Scope

This configuration guide is applicable for Microsoft 365 Exchange Online including hybrid* Exchange setups. This configuration guide is not applicable for on-premise Exchange servers.

2. Who is this document for?

  • Microsoft Exchange Administrator who will configure the Exchange Online environment for the Reservation Sync Interface.

  • Microsoft Azure Administrator who will configure access to the Reservation Sync Interface as a registered application in Azure Portal.

  • Information Security Official who will review the administrative actions performed on the customer’s side as part of the above two roles.

3. Pre-requisites - Exchange Administration

The following steps implement and/or validate settings in Microsoft Exchange Online that are required by the Reservation Sync Interface to establish connectivity with Spacewell Workplace.

Info

The following steps require administrator access to Exchange Online, ensure your Microsoft account has the necessary access rights.

3.1 Pre-requisites

3.1.1 How to access Exchange Admin Center

Exchange Admin Center (EAC) is the Web Console to manage Microsoft Exchange Online and can be accessed via: https://admin.exchange.microsoft.com/

...

More information about EAC can be found here: https://learn.microsoft.com/en-us/exchange/exchange-admin-center.

3.1.2 How to access Exchange Admin Shell

Exchange Admin Shell is shell access (via command line) to a remote Exchange instance, in this case Exchange Online. To connect to Exchange Admin Shell, you will need PowerShell and internet access.

...

More information about connecting to Exchange Online PowerShell can be found here: https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps&preserve-view=true

3.2 Room Mailboxes

Room mailboxes are key to setting up sync between Workplace and Exchange. For each room defined in Workplace, there must be a corresponding room mailbox defined in Exchange.

3.2.1 Creating Room Mailbox

Room mailboxes are resource mailboxes that can be created either via Exchange Admin Center or Exchange Admin Shell. Unlike User mailboxes, resource mailboxes are not linked to Microsoft 365 user licenses or incur any costs, they are bundled with all Microsoft 365 subscriptions and an unlimited number of such resource mailboxes can be created.

Room mailboxes can be created manually through the Exchange Admin Center or using PowerShell. Both options are described below. Please select the method that most adheres to your current workflow.

Create a Room Mailbox via Exchange Admin Center

Login to Exchange Admin Center, and select Resources from the left side menu under Recipients.

...

Once the room mailbox is created, you can see the room mailbox in the list of Resources

...

Create a Room Mailbox via Exchange PowerShell

Connect to Exchange Admin Shell and issue the below command to create a new Room Mailbox with the below cmdlet

...

The -Identity parameter value is the same as the -alias used in the create command above

...

3.2.2 Fine-tuning Room Mailbox properties

Room mailboxes in Exchange Online have an extensive set of properties that determine how they automatically deal with meeting requests from human users (auto-accept/decline). These properties also impact the Reservation Sync Interface as well. While some of these properties are controllable from the Exchange Admin Center Web GUI, more advanced control can be achieved from Shell using the CalendarProcessing cmdlet.

...

Below we talk about some of the properties that are relevant for Reservation Sync

AutomateProcessing

This parameter decides if the meeting requests from users are automatically accepted by the room mailbox or delegated to a human user who is the room admin. If you have not specified any booking delegates in the room mailbox setting, then this should be set to AutoAccept

AllowConflicts

This parameter decides if the room mailbox will accept multiple meeting requests for the same time slot. Spacewell Workplace doesn’t allow conflicts, hence this parameter must be set to False

BookingWindowInDays

This parameter decides how far ahead in future the room can be booked. This value should be set to a reasonable number such as 90 or 180 and also match the configured value in Spacewell Workplace. Setting it to high number will allow users to create recurring meeting years in the future and with very large number of occurrences resulting in sync failures and performance issues

MaximumDurationInMinutes

The maximum duration of a meeting. Spacewell supports a maximum of 24 hours i.e. a meeting cannot span multiple days. Thus this value must be 1440 or less.

ScheduleOnlyDuringWorkHours

The availability hours of a room must match the configured values in Spacewell. For best results with Reservation Sync it should be set to False in both Spacewell and Exchange

ConflictPercentageAllowed

This parameter determines if the room is unavailable for a few occurrences of a recurring series, but is available for the majority of it then it should still accept the series as a whole or not. It is not recommended to set this value higher than 20%

MaximumConflictInstances

Same as above, except it counts the number of unavailable occurrences instead of a percentage. Among the two, whichever restriction is hit first, takes precedence. Recommended value is 0 and only rely on the percentage setting.

Delete Subject & AddOrganizerToSubject

By default when a room mailbox receives a meeting, it removes the subject when saving the invite in its calendar. Consequently the meeting subjects are also not synchronized to Spacewell and the Spacewell touchpoints display the Organizer’s name instead of the subject.

...

https://learn.microsoft.com/en-us/powershell/module/exchange/set-calendarprocessing?view=exchange-ps

3.3 Room Lists

Room lists are used for grouping Room mailboxes into logical groups. These are not same as distribution lists, shared mailboxes or security groups. Room lists can only be managed via Exchange PowerShell and doesn’t have any other use than grouping rooms in the Room Finder widget in Outlook.

...

Info

Reservation Sync Interface accesses Rooms and Room Lists via Microsoft Graph API. Sometimes it may take 24-48 hours for room data created via Exchange Admin Shell to reflect in the API depending on the Azure cloud region / availability zone the data is being created in.

3.3.1 Creating Room List

To create a new Room List use the below command

...

https://learn.microsoft.com/en-us/powershell/module/exchange/new-distributiongroup?view=exchange-ps

3.3.2 Adding Room Mailbox to Room List

Once you have created a room list, you now need to add room mailboxes to this list. Use the below command

...

Code Block
Get-DistributionGroupMember -Identity all_rooms

3.3.3 Removing Room Mailbox from Room List

To remove a room mailbox from a room list, use the below cmdlet

...

The -Member parameter is the alias or email address of the room mailbox. This can also be another room list

...

3.3.4 Listing Room Lists

To get a list of all room lists in your organization, use the below command

...

The piped Format-Table formats the output to a table structure with 3 columns DN, Identity, email and the auto size parameter resizes column widths in the output to match the data

...

3.3.5 Listing contents of a Room List

To view all the member rooms and room lists for a given room list, use the below command

...

The -Identity parameter is the alias of the room list whose members are to be fetched

...

3.3.6 Hiding - Unhiding a Room List

If you have created room list(s) specifically for the purpose of Reservation Sync interface, and you do not wish users to see or use these room lists in Outlook Address Book, then you can hide the room list after the initial configuration in Reservation Sync Interface is done and it is operational.

...

Code Block
languagepowershell
Set-DistributionGroup -Identity all_rooms -HiddenFromAddressListsEnabled $True

4. Application Access - Azure Portal

The following steps grant access to the Reservation Sync Interface to interact with Microsoft Exchange Online using Microsoft Graph API. Graph is the standard interface provided by Microsoft for programatically managing Exchange Online and replaces the erstwhile Exchange Web Services (EWS). It uses OData REST APIs and OAuth 2.0 with Client Credentials

Info

The following steps require administrative access to Azure AD, ensure your Microsoft account has the necessary administrative privileges

4.1 App Registration

You must register Spacewell Reservation Sync Interface as an App in Azure AD for API access.

...

Info

An app created in the above manner will (by default) not be visible to users in Office 365 portal or Teams in the My Apps section. This is a background app and not intended for end-users. There is no need to assign this app to any Users or Groups

4.2 Generate Client Secret

The next step is to generate a client secret for API access. Go to the overview of the App in App Registrations and click on Certificates and Secrets from the left side menu

...

You can now see the newly created secret in the list of client secrets for the App. Make a note of the Value and Expires. These will be needed later

...

4.3 Grant API access

To grant access to Microsoft Graph API, go to the above registered app’s overview and select API permissions from the left side menu.

...

You can now see the applied permissions in the list of configured permissions for the app in the center panel.

...

4.3.1 User TimeZone preferences

Info

This section is only if you are using Outlook 2013 or below

...

Reservation Sync can optionally create meetings in the Organizer’s preferred timezone, but for that it needs to know the organizer’s timezone preference which is part of user’s mailbox preferences. To grant access to timezone preferences, search for MailboxSettings and expand it and grant access to MailboxSettings.Read

...

4.3.2 Restricting access to APIs

Note

By default granting API access with Application permissions grants access to all User calendars in the organization. Consider limiting the scope of users

...

https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

4.4 Grant Admin Consent

The calendar data processed by Reservation Sync using Graph API as identified in section 4.3 above, qualifies as Personal Identifiable Information (PII) data as hence processing such data requires User Consent under EU GDPR regulations. Since this is a background application it cannot seek user consent directly from the user hence an administrator must consent to data processing upfront on behalf of all users. This Admin Consent is facilitated and required by Microsoft Graph before API can be used.

...

Afterwards you can see the green tick in the status

...

4.5 Share Credentials

Upon completing the above steps, the credentials generated for the app must now be shared securely with Spacewell Technical team which will then be configured in the Reservation Sync interface for automated API access. The following details must be shared in the given format

...

Info

This is just a recommended approach to securely share credentials. You can alternately follow any other secure information transmission channel of your choice and policy

Appendix

Anchor
hybrid
hybrid
* Hybrid means that the room mailboxes are cloud native and user mailboxes may be synchronized with an on-premise Exchange Server. Also see which scenario’s Microsoft supports in regards to Hybrid setups: https://techcommunity.microsoft.com/t5/exchange-team-blog/the-end-of-the-rest-api-for-on-premises-mailboxes-preview/ba-p/3221219

...