CAUTION: this is an advanced setup and is not supported by UC Workspace. Setting up Graph API using your own app registration requires a solid understanding of Azure Active Directory and Azure App Registration. UC workspace can help with your Azure setup through our paid configuration services.
Available in Quicklaunch 4.0.680.0
Quicklaunch requires access to the enterprise's calendars and profiles. If you want to limit Quicklaunch access to a specific group of conference room accounts, you can use an Exchange Application Access Policy.
This policy applies to all your Quickjlaunch conference room accounts for your tenant. This means that each conference room account will be able to see the other conference room calendars, but no other calendars in your enterprise. At this time, Microsoft does not have a method to restrict an application to only a single account.
Note: using these policies requires advanced skills in Azure, policies and powershell. If you are not fluent in these areas, we offer configuration services to help you set up your environment.
If you choose to limit access to Quicklaunch some features in Quicklaunch will not work:
- Extend meeting by impersonation. Since Quicklaunch will be denied access to the Organizer's calendar, choosing to extend meeting using impersonation will not work. However, Quicklaunch can still extend a meeting by booking a timeslot in the meeting room's calendar.
- Add participant. Since Quicklaunch does not have access to the meeting organizer's calendar, a participant cannot be added. However, Quicklaunch will still be able to forward the meeting invite to the new participant.
- Get organizer image. This is a defect in the Microsoft Graph API and we expect it to be corrected in a future release of the Graph API.
- You must have Quicklaunch set up to use Graph API - see https://quicklaunch.ucworkspace.com/en/support/solutions/articles/3000098890-migrating-from-exchange-web-service-ews-to-graph-api
- You must have access to Azure admin account
Limiting Access to Quicklaunch by using an Exchange Application Access Policy
See the following Microsoft articles to implement an Exchange Application Access policy to limit access to a specific group of accounts.
- Scoping applications permissions: https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access
- Install and Connect to the Exchange Online Powershell https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps
- Create a "mail enabled security group" that will include ALL your conference room accounts. https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-mail-enabled-security-groups
Summary of Commands
The following commands are provided solely as a convenience and may not reflect the latest information from Microsoft. Please make sure to always refer to the Microsoft's articles above for setting up the Exchange Application Access policy.
Install and connect to Exchange Online with an azure admin account
- Start powershell as admin
Connect-ExchangeOnline -UserPrincipalName firstname.lastname@example.org
Create mail enabled security group and add conference rooms
In Powershell window from above:
New-DistributionGroup -Name "Conference Rooms" -Alias conf_rooms -Type security
Add-DistributionGroupMember -Identity "Conference Rooms" -Member "email@example.com"
Create application access policy
In powershell window from above
- Get Quicklaunch Application ID from Azure portal -> Enterprise Applications -> Quicklaunch -> Properties
New-ApplicationAccessPolicy -AppId xxxxxxxx-xxxx-xxxx-xxxxxxxx -PolicyScopeGroupId firstname.lastname@example.org -AccessRight RestrictAccess -Description "Restrict Quicklaunch only to conference room accounts"
Testing the application access policy
Test-ApplicationAccessPolicy -Identity email@example.com -AppId xxxxxxxx-xxxx-xxxx-xxxxxxxx
List and remove application access policies
- In powershell window from above:
Get-ApplicationAccessPolicy | Format-List Identity,Description,ScopeName,AccessRight,AppID
Remove-ApplicationAccessPolicy -identity "xxxxxxx"