Allow Only Selected Users to Create Personal Booking Pages

In today’s fast-paced work environment, personal booking pages have become invaluable tools for streamlining scheduling and improving productivity. However, organizations often need to restrict access to these features to ensure that only specific users can create personal booking pages. This article outlines how to achieve this in an Exchange environment using PowerShell commands.

Understanding Configuration Precedence

Before diving into the implementation, it’s crucial to understand the precedence of configurations in Exchange:

1. Global Settings: The default settings configured via Set-OrganizationConfig apply universally to all users.
2. User-Specific Settings: Individual user settings configured through Set-CASMailbox will override global settings for that particular user.

Enabling Personal Booking Pages

To allow only selected users to create personal booking pages, we will focus on configuring settings using the Set-CASMailbox command. This method enables precise control over user access without modifying the global configuration.

Key Parameters to Consider

1. EwsEnabled: This parameter enables or disables access to the mailbox using Exchange Web Services (EWS). $true: All EWS access is enabled. $false: All EWS access is disabled. $null: The setting isn’t configured.
2. EwsApplicationAccessPolicy: Specifies which client applications can access EWS and REST. EnforceAllowList: Only specified applications are allowed access. EnforceBlockList: All applications can access except those explicitly blocked. $null: The setting isn’t configured.
3. EwsAllowList: Defines applications allowed to access the mailbox when EwsEnabled is set to $true and EwsApplicationAccessPolicy is EnforceAllowList.
4. EwsBlockList: Defines applications that are not allowed access under EwsEnabled is set to $true and EwsApplicationAccessPolicy set to EnforceBlockList.

Implementation Steps

Here’s how to configure these settings in PowerShell to allow only selected users to create personal booking pages:

$users = Get-Mailbox -RecipientTypeDetails UserMailbox | Select-Object -ExpandProperty PrimarySmtpAddress
foreach ($user in $users) {
    Set-CASMailbox -Identity $user -EwsEnabled $true
    Set-CASMailbox -Identity $user -EwsApplicationAccessPolicy $null
}
$allowedUsers = @("[email protected]", "[email protected]", "[email protected]")
foreach ($user in $users) {
    if ($allowedUsers -contains $user) {
        Set-CASMailbox -Identity $user -EwsAllowList @{Add = "MicrosoftOWSPersonalBookings"}
    } else {
        Set-CASMailbox -Identity $user -EwsBlockList @{Add = "MicrosoftOWSPersonalBookings"}
    }
}        

Explanation of the Script

1. User Retrieval: The script starts by retrieving all user mailboxes while excluding shared mailboxes.
2. Enable EWS: It then enables EWS access for all users and clears any existing application access policies.
3. Defining Allowed Users: A list of users permitted to create personal booking pages is defined.
4. Conditional Configuration: The script loops through all users: For allowed users, it adds the application to the allow list. For others, it adds the application to the block list.

Conclusion

Restricting personal booking page creation to selected users is a straightforward process using PowerShell and Exchange configurations. This method not only enhances security but also allows organizations to maintain control over scheduling functionalities. By implementing these settings, you can ensure that personal booking pages serve as a valuable asset for the right individuals within your organization.

Reference

• Turn off Personal Bookings
• Control access to EWS in Exchange
• Set-CASMailbox