O365 Resource Central requirements

Modified on Wed, 17 Jun at 12:15 PM

1. Application server system requirements

System requirements for Resource Central 4.4 - Add-On Products

Diagram:

2. Pre-installation steps

The configuration detailed in this section must be carried out before Resource Central SAAS can be installed.

SQL server

The SQL server must allow SQL authentication, and we need a login during installation that allows us to create the 2 databases. Once databases are created DB_Owner rights suffice.

Further requirements:

“Full-Text and Semantic Extraction for Search” feature must be installed.
Check with the following query:

SELECT FULLTEXTSERVICEPROPERTY('IsFullTextInstalled')

Application server

We have the following requirements for the Windows Web server.

English language.
.NET 4.8
.NET 8 Web bundle (download here)
IIS and asp.net – see detailed list in box below:

"NetFx4Extended-ASPNET45","IIS-WebServerRole","IIS-WebServer","IIS-CommonHttpFeatures","IIS-HttpErrors","IIS-HttpRedirect","IIS-ApplicationDevelopment","IIS-NetFxExtensibility45","IIS-HealthAndDiagnostics","IIS-HttpLogging","IIS-LoggingLibraries","IIS-RequestMonitor","IIS-Security","IIS-RequestFiltering","IIS-Performance","IIS-WebServerManagementTools","IIS-ManagementConsole","IIS-StaticContent","IIS-DefaultDocument","IIS-ISAPIExtensions","IIS-ISAPIFilter","IIS-HttpCompressionStatic","IIS-HttpCompressionDynamic","IIS-ASPNET45","IIS-ApplicationInit"

Furthermore, these are strong recommendations:

Assign a DNS A record (or a cname).
We recommend using an SSL certificate for the website.
Exclude services and folders as exemplified with Defender exclusions in box below:

Add-MpPreference -ExclusionProcess "C:\Program Files (x86)\Add-On Products\RealTime Service 6\RealTimeService.exe"
Add-MpPreference -ExclusionPath "%programdata%\Add-On Products"
Add-MpPreference -ExclusionProcess "C:\Program Files (x86)\Add-On Products\RC Synchronize Service\RCSynchronize.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files (x86)\Add-On Products\RC Permission Service\RCSettingPermissionServices.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files (x86)\Add-On Products\RCMaintenanceService\RCMaintenanceService.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files (x86)\Add-On Products\RC Tracking Service\RCTrackingService.exe"
Add-MpPreference -ExclusionPath "C:\inetpub\wwwroot\ResourceCentral"

Microsoft Graph access for OfficePlace Connect

Resource Central uses OfficePlace Connect as connector to provide needed data sync from your Office 365 tenant via Microsoft Graph. To establish this connection you will need to create an Entra ID Application. There are two fundamentally different permission methods that can be selected, where we either connect on behalf of a service account or by utilizing application permissions.

Application permissions with Role Based Access Control (RBAC) is the method recommended by Microsoft, and it provides granular control and requires the least management effort.

Application access

With application access the permissions are granted to the Entra ID application, which by default provides access to the entire organization. In this scenario you can follow these guides.

Manual method: Entra ID Application setup for Application permission type
Powershell method: Entra ID Application setup for Application permission type using Powershell

It is possible to use RBAC in Exchange Online to limit the access for an Entra ID app that relies on application permissions. In this scenario you must prepare an Exchange security group with your resources, and similarly create an Exchange security group with your users that must be managed by Resource Central with features like Booking Manager. This can only be achieved with Powershell as described here: Entra ID Application setup for Application permission type using Powershell & RBAC

The outcome of the above regardless of method will be these values.

Tenant ID
Application ID
Secret Key

Delegated access

With delegated access it is important that the service account has the required permission to work as mentioned in the section above. We have two guides that provide guidance on how to configure this method in your Entra ID:

Manual method: Entra ID Application setup for Delegated permission type
Powershell method: Entra ID Application setup for Delegated permission type using Powershell

With this method the service account discussed next will require the following permissions:

See more details here: Required permissions for Service Account with delegated access

Full Access & Send As to resource mailboxes
Calendar Editor rights to user mailboxes (Optional depending on the usage scenarios)

O365 service account

We need a service account in O365 with the following:

It must have a mailbox.
Cannot be hidden in GAL.
Must be member of “View-Only Organization Management” Exchange role.

You can apply MFA in accordance with your existing policies

Resource mailboxes

Resource mailboxes must be created for rooms and equipment that should be part of Resource Central, and we recommend that the following is prepared.

Add all rooms intended for Resource Central to a security group (or distribution list) for management purposes.
Ensure that resource scheduling is correctly set up.
We recommend that you take steps to preserve the subject of meetings. Below sample script does this for all resources in your organization.
Get-MailBox -Filter {(ResourceType -eq "Room") -or (ResourceType -eq "Equipment")} | Set-CalendarProcessing -AutomateProcessing AutoAccept -AddOrganizerToSubject $False -DeleteSubject $False
Use policies in Exchange to control who can book or request a room.
https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/set-calendarprocessing?view=exchange-ps

Firewall requirements.

The Exchange connection method we use requires that traffic from Exchange EWS (in this case Exchange online) which is TCP port 10002 is allowed inbound through the firewall and subsequently NAT redirected to the server where Resource Central is running. Microsoft has a web service that can deliver updated information about the IP pool they use.

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2

A complete list of all the communication ports we use with our Exchange connection tool (Realtime Service) can be found here (focus should be on push notification on port 10002 since the other inbound are used locally on the server):

Inbound and outbound RealTime Service (RTS) ports and needed IP addresses : Add-On Products

3. Post-installation steps

The points below cannot be implemented until the Resource Central environment is running.

Office add-in deployment

We always recommend implementing FQDN for the Resource Central web site to get a nice name for the users that will connect to the backend, but also to allow for easy replacement in case a server dies.

In this case where the Office add-in is a topic, the following is required for the Resource Central web site:

Must have a DNS A record (or a cname).
The site must have a valid public SSL certificate.
The site must be accessible to the public. (Implementation of the Office add-in involves importing a manifest that points back the Resource Central website, and O365 must be able to make the connection and requires a valid SSL certificate.

Here is some additional information surrounding the Office add-in from our knowledgebase.

Entra ID app guide: How to configure Entra ID Application for the New Outlook Add-in : Add-On Products

Installation guide: Client Apps Installation Guide (New Outlook Add-in) : Add-On Products

User guide: Outlook Add-In User Guide : Add-On Products

What’s new: What’s new in New Outlook Add-in RTM : Add-On Products