Exchange Online Permissions Management Guide
Important Notice About ApplicationImpersonation Changes
Microsoft has announced significant changes to Exchange Online that will affect application permissions:
- From June 2024: No new ApplicationImpersonation role allocations
- Until February 2025: Existing calendar permissions remain operational
- Post-February 2025: Impersonation for new resource calendars will be unavailable
Recommended Solution
We recommend upgrading to the latest version of RealTime Service and implementing a full access model using the methods below.
Permission Types Available
Full Access
Required for the following functionality:
- Synchronize meetings from calendar
- Synchronize resource data
- Synchronize exchange settings of resources
- Delete meetings from calendar of users
- For Resource Booking Web App: Required on organizers' mailboxes to enable basic functionality
- Enable administrators to track changes
Send As
Required for the following functionality:
- Send Resource Central Reservation and Order emails
- Send emails from the Resource Central system email account for:
- Virtual Resource emails
- Reminder emails
- Visitor emails
- Handle resource booking confirmations and notifications
Note: Making use of this script requires prior knowledge about Powershell, and it is your responsibility to understand the script before using it. Add-On Products do not take any responsibility for the consequences of improper use.
PowerShell Commands for Common Scenarios
Using Distribution Lists to Manage Permissions
Using distribution lists is recommended for managing permissions on multiple room mailboxes efficiently. The scripts below demonstrate how to set permissions for all room mailboxes in a distribution group.
Setting Full Access Permissions via Distribution List
# Set Full Access permissions for service account on all rooms in a distribution list $serviceAccountPrimarySMTP = '[email protected]' $resourceGroupPrimarySMTP = '[email protected]' $permissions = 'FullAccess' $group = Get-DistributionGroup -Identity $resourceGroupPrimarySMTP if ($group) { Get-DistributionGroupMember -Identity $group.Id | Where-Object { $_.ResourceType -eq 'Room' }|ForEach-Object { $cal = $_.PrimarySmtpAddress $perms = Get-MailboxPermission -Identity $cal -User $serviceAccountPrimarySMTP -ErrorAction SilentlyContinue if ($perms.AccessRights -contains $permissions) { Write-Host "User $($serviceAccountPrimarySMTP) already has the '$permissions' permission on $($_.Alias)" -ForegroundColor Green } else { Write-Host "Setting permissions on $cal" -ForegroundColor Red Add-MailboxPermission -Identity $cal -User $serviceAccountPrimarySMTP -AccessRights $permissions -AutoMapping $false } } }
Setting Send As Permissions via Distribution List
# Set Send As permissions for service account on all rooms in a distribution list $serviceAccountPrimarySMTP = '[email protected]' $resourceGroupPrimarySMTP = '[email protected]' $permissions = 'SendAs' $group = Get-DistributionGroup -Identity $resourceGroupPrimarySMTP if ($group) { Get-DistributionGroupMember -Identity $group.Id | Where-Object { $_.ResourceType -eq 'Room' }|ForEach-Object { $cal = $_.PrimarySmtpAddress $perms = Get-RecipientPermission -Identity $cal -Trustee $serviceAccountPrimarySMTP -ErrorAction SilentlyContinue if ($perms.AccessRights -contains $permissions) { Write-Host "User $($serviceAccountPrimarySMTP) already has the '$permissions' permission on $($_.Alias)" -ForegroundColor Green } else { Write-Host "Setting permissions on $cal" -ForegroundColor Red Add-RecipientPermission -Identity $cal -Trustee $serviceAccountPrimarySMTP -AccessRights $permissions -Confirm:$false } } }
Prerequisites
- Ensure account has Organization Management group membership
- Check membership:
Get-RoleGroup "Organization Management" | select members - Add if needed:
Add-RoleGroupMember "Organization Management" -Member "username"
Important Considerations
- Disable auto-mapping for better performance in large environments
- Hidden mailboxes require special handling
- Using distribution lists for permission management provides better scalability and maintenance, script can be executed again if a room is added to list.
- Scripts include error handling and status reporting
- The required service account and groups can be located within RealTime Manager as described in section below.
Retrieving information from Realtime Manager
You can find information about the service account and the assigned resource group from within Realtime manager.
Service Account
Assigned Group
Official Documentation
For the most up-to-date and complete information, always refer to the official Microsoft documentation.
This guide provides common scenarios and examples but should be used in conjunction with Microsoft's official documentation, which contains the most current information and best practices.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article