Available in Quicklaunch 4.0.680.0
Quicklaunch requires access to the enterprise's calendars and profiles. If you want to limit Quicklaunch access to a specific group of conference room accounts, you can use an Exchange Application Access Policy.
This policy applies to all your Quickjlaunch conference room accounts for your tenant. This means that each conference room account will be able to see the other conference room calendars, but no other calendars in your enterprise. At this time, Microsoft does not have a method to restrict an application to only a single account.
If you choose to limit access to Quicklaunch some features in Quicklaunch will not work:
- You must have Quicklaunch set up to use Graph API - see https://quicklaunch.ucworkspace.com/en/support/solutions/articles/3000098890-migrating-from-exchange-web-service-ews-to-graph-api
- You must have access to Azure admin account
Limiting Access to Quicklaunch by using an Exchange Application Access Policy
See the following Microsoft articles to implement an Exchange Application Access policy to limit access to a specific group of accounts.
- Scoping applications permissions: https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access
- Install and Connect to the Exchange Online Powershell https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps
- Create a "mail enabled security group" that will include ALL your conference room accounts. https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-mail-enabled-security-groups
Summary of Commands
The following commands are provided solely as a convenience and may not reflect the latest information from Microsoft. Please make sure to always refer to the Microsoft's articles above for setting up the Exchange Application Access policy.
Install and connect to Exchange Online with an azure admin account
- Start powershell as admin
Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName firstname.lastname@example.org -ShowProgress $true
Create mail enabled security group and add conference rooms
In Powershell window from above:
New-DistributionGroup -Name "Conference Rooms" -Alias conf_rooms -Type security
Add-DistributionGroupMember -Identity "Conference Rooms" -Member "QuarryPark@ucworkspace.com"
Create application access policy
In powershell window from above
- Get Quicklaunch Application ID from Azure portal -> Enterprise Applications -> Quicklaunch -> Properties
New-ApplicationAccessPolicy -AppId xxxxxxxx-xxxx-xxxx-xxxxxxxx -PolicyScopeGroupId email@example.com -AccessRight RestrictAccess -Description "Restrict Quicklaunch only to conference room accounts"
Testing the application access policy
Test-ApplicationAccessPolicy -Identity firstname.lastname@example.org -AppId xxxxxxxx-xxxx-xxxx-xxxxxxxx
List and remove application access policies
- In powershell window from above:
Get-ApplicationAccessPolicy | Format-List Identity,Description,ScopeName,AccessRight,AppID
Remove-ApplicationAccessPolicy -identity "xxxxxxx"