cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need script to add and remove calendar permissions from dynamic groups in Exchange Online

NCSSINC
Copper Contributor

‎Oct 10 2023 08:02 AM

‎Oct 10 2023 08:02 AM

Need script to add and remove calendar permissions from dynamic groups in Exchange Online

Hello,

 

We have migrated from local Exchange to Exchange 365 Online, keeping our local AD. I very much regret this, as we have lost most of the functionality we had previously with account and calendar permissions.

 

I am absolutely baffled that there is no mechanism for assigning Resource Room Calendar permissions based on Dynamic Groups in Exchange Online- we had this working perfectly in our local Exchange. We are a 550+ organization and our employees permissions to book resource rooms change frequently depending on what department they are in. I am in desperate need of scripts to automate this process when users are added and removed from AD security groups for this purpose. Again, I am dumbfounded that this is just not available from Microsoft by default.

 

Any help is really appreciated!

CB

1,060 Views
0 Likes
3 Replies
Reply
3 Replies
randriksen_

‎Oct 11 2023 01:53 AM

‎Oct 11 2023 01:53 AM

Re: Need script to add and remove calendar permissions from dynamic groups in Exchange Online

@NCSSINC 

 

So, I'm not sure it's doable with dynamic security groups, I've been trying a little while now.

from: Manage resource mailboxes in Exchange Online | Microsoft Learn

 

This example does the following actions:

  • The Get-User cmdlet finds all room mailboxes that correspond to private conference rooms.
  • The Set-CalendarProcessing cmdlet sends booking requests to a delegate named Robin Wood to accept or decline.
  • The Set-MailboxFolderPermission cmdlet gives Robin the required Calendar folder permissions to the private conference room mailboxes.
PowerShell
 
$P = Get-User -ResultSize unlimited -Filter "(RecipientTypeDetails -eq 'RoomMailbox') -and (DisplayName -like 'Private*')"
$P | foreach {Set-CalendarProcessing -Identity $_.Identity -AllBookInPolicy $false -AllRequestInPolicy $true -ResourceDelegates "Robin Wood"}
$P | foreach {Set-MailboxFolderPermission -Identity "$_`:\Calendar" -User "Robin Wood" -AccessRights Editor -SharingPermissionFlags Delegate}

 

This example is for a user, but I know that we're using groups to add permissions, since anything else would be insane in my organization. 

 

This is the script we use 

 

$Mailbox = 'name of resource'

$GrantAccess = "upn of group"

Get-Mailbox $Mailbox | Set-CalendarProcessing -AllBookInPolicy:$false -AllRequestInPolicy:$false -BookInPolicy $GrantAccess 

Get-Mailbox $Mailbox | Get-CalendarProcessing  | select -ExpandProperty BookInPolicy

 

 

When I try this with the dynamic group, it just ends up with no-one having permission to use it. 

I've been trying to figure out why, and it seems like it is because a dynamic security group can't be mailenabled. 

There might be some workarounds, like add the dynamic security group to a static one and then set that the static security group has access... but my experience with nested groups and azure isn't fantastic when it comes to permissions and rights.

 

It might be possible to somehow do this with Graph. 

 

will look more into it later. it's an interesting problem :D

 

-Ole

 

0 Likes
Reply
NCSSINC

‎Oct 11 2023 02:25 AM - edited ‎Oct 11 2023 04:01 AM

‎Oct 11 2023 02:25 AM - edited ‎Oct 11 2023 04:01 AM

Re: Need script to add and remove calendar permissions from dynamic groups in Exchange Online

@randriksen_ 

Thank you for looking at this!

 

We have (mail-enabled) group memberships for teams such as Reception, and other groups that specifically schedule appointments for other staff in all departments. There is enough staff turnover and lateral migration in our organization that makes adding staff calendar permissions manually by person just untenable. 

 

I will check your scripts and see if I can make something with them…from what understand, I can give any mail-enabled group specific calendar permissions, but Microsoft takes a “static picture” of that group when I add it and gives each group user the permission. This only happens once though- when the permission value is changed (like changing the group permission from Editor to Author, or adding and removing the group from the permission set entirely). The group is not monitored for changes in membership by Exchange, so every time someone is added or removed from it, I would need it to trigger a script that flip-flops something in its Exchange permissions on all the calendars that group has access to, so that Exchange will refresh the member user permissions. This has been my experience and reading with the way it is supposed to work, anyway. Is there a command that refreshes or re-evaluates Exchange folder permissions, I wonder?

 

My other thought is to create a monitoring script that runs on a schedule, say every 30 minutes, that will store the changes to a set of AD groups in an array (as variables to use if possible), based on Events 4728 and 4729 (user added to group and user removed), which then removes and re-adds those changed groups to specific calendar permissions. This reference script gets me half way there: https://community.spiceworks.com/how_to/153190-how-to-monitor-active-directory-group-membership-chan...

I have also looked into WMI implementation for this, but not very deeply. This may seem over the top, but this was all done seamlessly on the back-end in Exchange 2010.

 

I really appreciate your input, and I will check out the scripts!

0 Likes
Reply
NCSSINC

‎Oct 13 2023 06:06 AM

‎Oct 13 2023 06:06 AM

Re: Need script to add and remove calendar permissions from dynamic groups in Exchange Online

Hi all, just wondering if anyone else has some input on this- perhaps you have an alternative solution to the functionality we are trying to re-establish?

 

Thanks everyone,

CB

0 Likes
Reply