With the depreciation of the ApplicationImpersonation role in May 2024 - February 2025, we have introduced a new method of authenticating large numbers of Microsoft 365 resource mailboxes without setting up each account individually.

The current recommended solution for this by Microsoft is Role-based Access Control for direct access from our application to your Microsoft 365 tenant, scoped to Resource Mailbox users.

This does not require a service user account, but does require configuration in Powershell and Microsoft Entra.

Finding the correct Entra Application ID & Object ID

You will need to confirm and locate the correct Application ID and Object ID in Microsoft Entra for the Meeting Room 365 production app.

In Microsoft Entra, navigate to Applications, then Enterprise Applications. Currently here:

https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview

Copy the Application ID and Object ID somewhere for future reference.

Creating a Management Scope in Powershell

Next, you will need to create a management scope in Powershell.

The Powershell script will fetch ServicePrincipalId if not provided, but requires the Az Powershell module in this case to fetch it from Entra. If you followed the steps above, you do not need this, you can just paste it in.

The ExchangeOnlineManagement module is required in all scenarios.

# Confirm $AppId, $ServicePrincipalId (optional)
# https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview

# Define variables for your application's identifiers
$AppId = "2a636d8a-e912-4095-9dea-4b3e23776acc" # Meeting Room 365 Production App (should not change)
$ServicePrincipalId = "" # Object ID from Entra, Fill in here if you know it
$MailboxToTest = "mailbox@domain.com" # Modify this to a resource mailbox on your domain

# --- RBAC Powershell Script ---

# Connect to Exchange Online
Connect-ExchangeOnline -ShowBanner:$false

# Retrieve the service principal's Object ID in the current tenant
if ($ServicePrincipalId -eq $null -or $ServicePrincipalId -eq "") {
    # Retrieve the service principal's Object ID in the current tenant
    $ServicePrincipal = Get-AzADServicePrincipal -ApplicationId $AppId
    $ServicePrincipalId = $ServicePrincipal.Id
}

# Specify the mailbox to test access
$MailboxToTest = $MailboxToTest

# Create a management scope for resource mailboxes
New-ManagementScope -Name "ResourceMailboxesScope" `
    -RecipientRestrictionFilter { RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox" }

# Create a service principal in Exchange Online
New-ServicePrincipal -AppId $AppId -ObjectId $ServicePrincipalId -DisplayName "Meeting Room 365 Production App"

# Assign the 'Application Calendars.ReadWrite' role to the service principal within the defined scope
New-ManagementRoleAssignment -Name "ResourceMailboxesAccess" `
    -Role "Application Calendars.ReadWrite" `
    -App $AppId `
    -CustomResourceScope "ResourceMailboxesScope"

# Test the service principal's authorization to access a specific mailbox (Optional)
Test-ServicePrincipalAuthorization -Identity $AppId -Resource $MailboxToTest

# https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac#application-roles

This creates and tests a management scope that allows the Meeting Room 365 Production application to access any resource mailbox on your tenant, specifically making requests to read or write to calendars.

References & Further Reading

https://learn.microsoft.com/en-us/powershell/module/exchange/new-managementscope?view=exchange-ps

https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

Updated on: 11/05/2025