CAUTION: this is an advanced setup and is not supported by UC Workspace.  Setting up Graph API using your own app registration requires a solid understanding of Azure Active Directory and Azure App Registration.  UC workspace can help with your Azure setup through our paid configuration services.

Available in Quicklaunch 4.0.680.0


Quicklaunch requires access to the enterprise's calendars and profiles.  If you want to limit Quicklaunch access to a specific group of conference room accounts, you can use an Exchange Application Access Policy.


This policy applies to all your Quickjlaunch conference room accounts for your tenant.  This means that each conference room account will be able to see the other conference room calendars, but no other calendars in your enterprise. At this time, Microsoft does not have a method to restrict an application to only a single account.


Note: using these policies requires advanced skills in Azure, policies and powershell. If you are not fluent in these areas, we offer configuration services to help you set up your environment.


Restrictions

If you choose to limit access to Quicklaunch some features in Quicklaunch will not work:

  • Extend meeting by impersonation.  Since Quicklaunch will be denied access to the Organizer's calendar, choosing to extend meeting using impersonation will not work.  However, Quicklaunch can still extend a meeting by booking a timeslot in the meeting room's calendar.
  • Add participant. Since Quicklaunch does not have access to the meeting organizer's calendar, a participant cannot be added.  However, Quicklaunch will still be able to forward the meeting invite to the new participant.
  • Get organizer image.  This is a defect in the Microsoft Graph API and we expect it to be corrected in a future release of the Graph API.



Prequisites




Limiting Access to Quicklaunch by using an Exchange Application Access Policy


See the following Microsoft articles to implement an Exchange Application Access policy to limit access to a specific group of accounts.


  1. Scoping applications permissions: https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access
  2. Install and Connect to the Exchange Online Powershell https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps 
  3. Create a "mail enabled security group" that will include ALL your conference room accounts.  https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-mail-enabled-security-groups 




Summary of Commands

The following commands are provided solely as a convenience and may not reflect the latest information from Microsoft. Please make sure to always refer to the Microsoft's articles above for setting up the Exchange Application Access policy. 


Install and connect to Exchange Online with an azure admin account

  1. Start powershell as admin
  2. Import-Module ExchangeOnlineManagement
  3. Connect-ExchangeOnline -UserPrincipalName exchangeadmin@ucworkspace.cokm


Create mail enabled security group and add conference rooms


In Powershell window from above:

  1. New-DistributionGroup -Name "Conference Rooms" -Alias conf_rooms -Type security
  2. Add-DistributionGroupMember -Identity "Conference Rooms" -Member "roomaccount@onmicrosoft.com"


Create application access policy

In powershell window from above

  1. Get Quicklaunch Application ID from Azure portal -> Enterprise Applications -> Quicklaunch -> Properties
  2. New-ApplicationAccessPolicy -AppId xxxxxxxx-xxxx-xxxx-xxxxxxxx -PolicyScopeGroupId conf_rooms@onmicrosoft.com -AccessRight RestrictAccess -Description "Restrict Quicklaunch only to conference room accounts"

Testing the application access policy

Test-ApplicationAccessPolicy -Identity user1@contoso.com -AppId xxxxxxxx-xxxx-xxxx-xxxxxxxx


List and remove application access policies

  1. In powershell window from above:
  2. Get-ApplicationAccessPolicy | Format-List Identity,Description,ScopeName,AccessRight,AppID
  3. Remove-ApplicationAccessPolicy -identity "xxxxxxx"