Summary
During the configuration of OfficePlace, we need to create an application registration with rights to read Entra ID objects and read/write calendar entries and send emails in your O365 tenant.
The sections below explains the process of setting up the app with Powershell, and it is important that the script snippets are used in the same powershell session to ensure that variables and variable values are carried over from one section to the next.
Note: Making use of this script requires prior knowledge about Powershell, and it is your responsibility to understand the script before using it. Add-On Products do not take any responsibility for the consequences of improper use.
Prepare powershell environment.
This guide explains the process of setting up the Entra ID application and associated RBAC in Exchange Online using Powershell, and hence it is important that certain modules are available on your machine.
In order to complete this task you will need the following components:
- Powershell 7
- ExchangeOnlineManagement module
- Microsoft.graph module
Complete script is attached as zip.
Below scriptblock checks for installed modules and installs them if they are not present on your machine.
#Install required modules if missing
if(-not (Get-InstalledModule Microsoft.Graph.Authentication)){
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
}
if(-not (Get-InstalledModule Microsoft.Graph.Applications)){
Install-Module Microsoft.Graph.Applications -Scope CurrentUser -Force
}
if(-not (Get-InstalledModule Microsoft.Graph.Identity.DirectoryManagement)){
Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser -Force
}
if(-not (Get-InstalledModule Microsoft.Graph.Identity.signins)){
Install-Module Microsoft.Graph.Identity.signins -Scope CurrentUser -Force
}
#Import Module
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Identity.signinsDefine script variables
Before creating the Entra ID app you must define a set of variables.
- AppName - Define the name of the Entra ID app
- SecretDuration - Set expiration timeline of the Entra ID secret in months
- ExchangeResourceGroupName - Name of the Exchange group containing the resources to be used
- ExchangeOrganizerGMGroupName - Name of the Exchange group containing organizers to be accessed from Booking Manager.
- ServiceAccountUPN - UPN of service account
$AppName = "OfficePlace app access" $SecretDuration = 120 $ExchangeResourceGroupName = "Resources" $ExchangeOrganizerBMGroupName = "BMGroup" $ServiceAccountUPN = "[email protected]"
Create Entra ID application
Now it is time to create the Entra ID application according to the variables above.
The script below will create the application, but will exit in case an application with the same name already exists and leave it to you to manually delete that existing application or choose a different name for this new application.
The values of the application will be stored in a text file in Downloads folder and notepad will open presenting the values.
###############################################################################
#Connect to your tenant with Graph and required scopes
###############################################################################
Connect-MgGraph -Scopes "Application.ReadWrite.All","User.Read.All","Domain.Read.All", "DelegatedPermissionGrant.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
Get-MgContext
Write-Host "Tenant Name: " (Get-MgDomain | Where-object {$_.IsInitial -eq $true}).id
###############################################################################
#Create AAD Application
###############################################################################
$ExistingApp = Get-MgApplication -Filter "startswith(displayName,'$AppName')"
If ($ExistingApp){
Write-Warning -Message "Applicaiton already exist - Exiting script"
Write-Warning -Message "Please delete application $($ExistingApp.AppId) before you proceed with this script"
break
}Else{
$App = New-MgApplication -DisplayName $AppName
}
$APPObjectID = $App.Id
###############################################################################
#Add Current user as Owner
###############################################################################
$User = get-mguser -UserId (Get-MgContext).Account
$ObjectId = $User.ID
$NewOwner = @{
"@odata.id"= "https://graph.microsoft.com/v1.0/directoryObjects/{$ObjectId}"
}
New-MgApplicationOwnerByRef -ApplicationId $APPObjectID -BodyParameter $NewOwner
###############################################################################
#Add a ClientSecret
###############################################################################
$passwordCred = @{
"displayName" = "ClientSecret"
"endDateTime" = (Get-Date).AddMonths(+$SecretDuration)
}
$ClientSecret = Add-MgApplicationPassword -ApplicationId $APPObjectID -PasswordCredential $passwordCred
###############################################################################
#Redirect URI
#If you need to add Redirect URI's.
###############################################################################
#Redirect URI
$RedirectURI = @()
$RedirectURI += "https://admin.officeplace.global/"
$params = @{
RedirectUris = @($RedirectURI)
}
$Web = @{
implicitGrantSettings = @{
enableIdTokenIssuance = $true
enableAccessTokenIssuance = $true
}
}
Update-MgApplication -ApplicationId $APPObjectID -Spa $params -Web $Web
###############################################################################
#Add Api Permissions
###############################################################################
$requiredGrants = New-Object -TypeName System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess]
$requiredResourceAccess = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess
$requiredResourceAccess.ResourceAppId = "00000003-0000-0000-c000-000000000000"
$requiredResourceAccess.ResourceAccess+=@{ Id = "98830695-27a2-44f7-8c18-0c3ebc9698f6"; Type = "Role" } #GroupMember.Read.All - Application
$requiredResourceAccess.ResourceAccess+=@{ Id = "df021288-bdef-4463-88db-98f22de89214"; Type = "Role" } #User.Read.All - Application
$requiredGrants.Add($requiredResourceAccess)
$requiredResourceAccess = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess
$requiredResourceAccess.ResourceAppId = "00000002-0000-0ff1-ce00-000000000000"
$requiredResourceAccess.ResourceAccess+=@{ Id = "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c"; Type = "Scope" } #Exchange.Manage - Delegated
$requiredGrants.Add($requiredResourceAccess)
Update-MgApplication -ApplicationId $APPObjectID -RequiredResourceAccess $requiredGrants
###############################################################################
#Create Service Principal if it does not exist.
###############################################################################
$Principal = Get-MgServicePrincipal -Filter "appId eq '$($App.appId)'"
if (-not $Principal) {
Write-Host "Creating client app's service principal"
$Principal = New-MgServicePrincipal -AppId $App.appId -Description $App.DisplayName
}
Write-Host "Client: '$($Principal.displayName)' (appId: $($Principal.appId))"
###############################################################################
#Grant Admin Consent
###############################################################################
$Resource = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"
# Grant consent to the application permission
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $Principal.Id -PrincipalId $Principal.Id -ResourceId $Resource.id -AppRoleId "98830695-27a2-44f7-8c18-0c3ebc9698f6"
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $Principal.Id -PrincipalId $Principal.Id -ResourceId $Resource.id -AppRoleId "df021288-bdef-4463-88db-98f22de89214"
#Grant specific user consent for delegated Exchange permission Exchange.Manage
$Resource = Get-MgServicePrincipal -Filter "displayName eq 'Office 365 Exchange Online'"
$ServiceAccountUser = Get-MgUser -UserId $ServiceAccountUPN
$params = @{
"ClientId" = $Principal.Id
"ConsentType" = "Principal"
"ResourceId" = $Resource.id
"Scope" = "Exchange.Manage"
"PrincipalId" = $ServiceAccountUser.Id
}
New-MgOauth2PermissionGrant -BodyParameter $params | Format-List Id, ClientId, ConsentType, ResourceId, Scope
###############################################################################
#App details to be used
###############################################################################
$ResultFile = "" + (New-Object -ComObject Shell.Application).Namespace('shell:Downloads').Self.Path + "\" + $AppName + ".txt"
$resultset=@"
Tenant ID: $((Get-MgOrganization).Id)
Tenant Name: $((Get-MgDomain | Where-object {$_.IsInitial -eq $true}).id)
App principal ID: $($app.AppID)
App Secret: $($clientSecret.SecretText)
"@
$resultset | out-file -FilePath $ResultFile
Invoke-Item $ResultFileCreate RBAC setup in Exchange Online
Next step is to dynamically assign the two required application permission roles and target them to the Exchange Online groups defined in the variables above, and it is important that the names are correct for the commands to work.
This method relies on a service principal in Exchange Online associated with the newly created Entra ID application above, and the script below uses variables from above and must hence be executed in the same process for the variables to still be loaded into memory.
# Configure RBAC permissions for Exchange access Connect-ExchangeOnline $RBACPrincipal = New-ServicePrincipal -AppId $Principal.AppId -ServiceId $Principal.Id -DisplayName "EXO Serviceprincipal $($Principal.Displayname)" New-ManagementRoleAssignment -Name "Resource Central Poc Resource CalendarAccess" -App $RBACPrincipal.AppId -Role "Application Calendars.ReadWrite" -RecipientGroupScope $ExchangeResourceGroupName New-ManagementRoleAssignment -Name "Resource Central Poc Resource Mail" -App $RBACPrincipal.AppId -Role "Application Mail.Send" -RecipientGroupScope $ExchangeResourceGroupName New-ManagementRoleAssignment -Name "Resource Central BM CalendarAccess" -App $RBACPrincipal.AppId -Role "Application Calendars.ReadWrite" -RecipientGroupScope $ExchangeOrganizerBMGroupName
Implement application settings in OfficePlace
Once the app described above has been created, you must collect this information for configuration in OfficePlace.
The powershell script above has created a text file in your download folder with the same name you gave the Entra ID application, and within you can find the details matching the configuration dialog in OfficePlace as seen in the screenshot below.
Properties
Applies to: OfficePlace
Knowledge base ID: 0338
Last updated: Jan 09 2025
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article