Overview
This article provides step-by-step instructions on how to configure Application section (with Application permission type) for Group Calendar product on OfficePlace to facilitate search and sync operations with Azure AD/Exchange Online, while leveraging Exchange Role-Based Access Control (RBAC) to ensure appropriate access to groups. The Application section can be found within your Organization under Organization Management, e.g.:
Step-by-step instructions
Step 1: Register app in Azure AD
- Navigate to Azure portal ® Manage Microsoft Entra ID ® App registrations and click [New registration].
- Enter the application Name and select ‘Single tenant only - …’ in Supported account types section.
- Click [Register] button at the bottom of the screen. Your app will then be created in your Azure tenant.
Step 2: Retrieve details from app
Note: In this app, you need to retrieve the values of Tenant ID, App principal ID, and App Secret. Remember to copy them elsewhere for future usage.
In this step, click Overview tab of your application to retrieve the necessary details. You can also find Overview by accessing Azure portal ® Manage Microsoft Entra ID ® App registrations. Click [All applications] then search for and select your app ® select tab Overview.
In this screen, you can see a list of Essentials, in which you can get:
- Tenant ID: retrieved from Directory (Tenant) ID section.
- App principal ID: retrieved from Application (Client) ID section.
Next, click [Certificates & secrets] ® [Client Secret].
Choose [New client secret], a screen will appear as below:
Enter Description, select Expires time, then click [Add] button. The Value and Secret ID columns will be inserted:
Here, you can get:
- App Secret: retrieved from Secret’s Value.
Note:
1. Remember to copy the client secret value from the Azure app immediately after adding a client secret because it will be hidden the next time you open the app’s Certificates & secrets page.
2. When the secret is going to expire, remember to create a new secret, and use its Value to replace the expired one.
Step 3: Configure Authentication tokens in Azure AD
Next, click on [Authentication (Preview)] section, as in the bellow figure, click [Add Redirect URI], a right panel of Select a platform will appear:
Select [Single-page application], and the following screen will appear. You are required to complete Redirect URIs and Implicit grant and hybrid flows fields.
- Redirect URIs: Enter the URL of OfficePlace, for which you are configuring the application. (https://admin.officeplace.global/)
- In the Implicit grant and hybrid flows field, check on both [Access tokens] and [ID tokens].
Click [Configure] to switch to the next step.
Step 4: Configure API permissions in Azure AD
On your Azure app, go to API permissions then click [Add a permission]:
After that, the Request API permissions screen will appear, in which you select Microsoft APIs ® Microsoft Graph ® Application permissions:
Search and add the following permissions:
- User.Read.All
- GroupMember.Read.All
Once you are done, click [Grant admin consent for …] to apply the added permissions. The result should look similar as follows:
Step 5: Configure permissions via Powershell
In Application mode, the Calendars.Read application permission must be granted to allow the application to access calendar data. This permission alone provides tenant-wide access. To enforce least-privilege access and restrict the application to specific mailboxes, additional configuration using Exchange Online RBAC is required.
Follow the steps below to assign the desired permission to your management scope. Make sure to replace the placeholders (highlighted in examples) with your actual values before running the commands.
Step 5a: Open Powershell ISE as an Administrator and run command below to log in with user account with Exchange admin rights:
Connect-ExchangeOnline -UserPrincipalName UPNStep 5b: Create a new Service Principal to identify this application in Exchange.
New-ServicePrincipal -AppId App-Id -ObjectId Object-Id -DisplayName "ApplicationName"You can retrieve the necessary details by navigating to the Entra ID application you created above in Enterprise Applications. In the application overview, copy the app properties and replace the corresponding placeholders in the command.
Step 5c: Create Role Assignments:
Next, you need to assign Calendars.Read permission to your application, targeting recipients based on their membership in a specific Exchange group. This allows you to apply administrative actions only to all group members.
New-ManagementRoleAssignment -App App-Id -Role "Application Calendars.Read" -RecipientGroupScope "GroupName"Note: Only direct members of the group will fall under the scope of a management role assignment. Nested group members are not supported.
Step 5d: Check role assignments
This step verifies the authorization status of your service principal (application) in Microsoft Exchange Online.
Run the following command:
Test-ServicePrincipalAuthorization -Identity "ApplicationName" | Format TableThe output is formatted as a table, making it easier to review and understand which roles and permissions have been assigned to your application.
Properties
Applies to: OfficePlace and Group Calendar
Reference: TFS #461721
Knowledge base ID: 0353
Last updated: Apr 08, 2026
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article