Setting up Zoom Rooms with Office 365
When you associate a calendar resource in Microsoft Office 365 with a Zoom Room, members of your organization can quickly and easily schedule room meetings by inviting the associated calendar resource to their meetings in Outlook. The calendar integration depends on authorizing Zoom’s access to calendar resources in O365, enabling Zoom Rooms to read their associated calendar resources. After authorization, Zoom Rooms will show upcoming meetings on the room’s TV display(s), Scheduling Display(s) and Zoom Rooms controller(s). Users may start or join the displayed meetings with one touch on the room controller.
This article covers:
Prerequisites for setting up Zoom Rooms with Office 365
- An Office 365 Administrator Account with Exchange Online administrator permissions to make required configuration changes
- The account must have Exchange Online administrator permissions for both Organization Management and Recipient Management.
- MS Graph API Application Permissions requires an Office 365 Global Admin, or user with Microsoft O365 Cloud Application Administrator permissions, to add Zoom’s Microsoft Entra (Azure AD) Enterprise Application
- The ability to list, create, and manage calendar resources for rooms
- Admin Access for Windows PowerShell on Windows 10 or greater, or Windows Server 2016 or greater
- Role with access to Zoom Rooms
- To use the MS Graph API Application Permissions integration your Zoom account must have at least one associated domain that matches a custom domain you have verified in your O365 tenant
How to create or locate a calendar resource for each room
- Sign in to the Microsoft Exchange admin center (EAC) as an admin.
- In the navigation menu, click Recipients then Resources.
- Click on the plus (+) sign if you need to add a room.
Zoom recommends that you use a prefix (such as ZR) for each room, or choose your own method to allow users to easily search for Zoom Rooms-enabled conference rooms. - Make note of the display name and email address of each calendar resource.
Note: Creating a room list for all Zoom Room calendar resources is recommended, as it will allow Zoom to populate your list of available calendar resources automatically.
How to install the Microsoft Exchange Online Powershell Module
Many of these instructions require use of the Microsoft Exchange Online Powershell Module (AKA “EXO”). The following is an abbreviated extract of the instructions found in Microsoft’s Install and maintain the EXO module page.
- Start Windows PowerShell using the Run as administrator option.
Note: This option is available when you right-click the Windows PowerShell app without launching it. - Prepare to install the EXO module by executing this command:
Set-ExecutionPolicy RemoteSigned - Press Y to accept the change
- Install the EXO module by executing this command:
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser
Note: If necessary, enter Y to accept installation of the Microsoft NuGet provider to facilitate installation of the EXO module. - If you receive an “untrusted repository” message and PowerShell prompts you to permit installation of the EXO module the Microsoft PowerShell Gallery (“PSGallery”) repository, enter Y to accept.
- Keep the PowerShell window open for further commands.
How to update the calendar resource settings using Windows PowerShell
You must update some calendar resource settings so that Zoom Rooms may display calendar information and generate a one touch join button for Zoom meetings.
- Start a Windows PowerShell using the “Run as administrator” option.
Note: This option is available when you right-click the Windows PowerShell app without launching it. - Enter the following command:
Connect-ExchangeOnline -UserPrincipalName <UPN>
Note: Change the value of <UPN> to the Office 365 administrator's user principal name (usually appears in the form of an email address). Make sure that this account has permissions for both “Organization Management” and “Recipient Management”. - Enter the Office 365 administrator username and password in the dialog box that appears.
- Check the settings for a calendar resource by executing the following command:
Get-CalendarProcessing -Identity CalendarResource | Format-List Identity,DeleteSubject,AddOrganizerToSubject,DeleteComments,RemovePrivateProperty
Note: Replace the text CalendarResource with the email address of a calendar resource. - Note the data returned for the following values:
"DeleteSubject", "AddOrganizerToSubject", "DeleteComments", and "RemovePrivateProperty"
In most cases, these values are set to True.
Identity : [domain].com/Users/CalendarResource
DeleteSubject : True
AddOrganizerToSubject : True
DeleteComments : True
RemovePrivateProperty : True - Change the settings for the room with the following command:
Set-CalendarProcessing -Identity <CalendarResource> -AddOrganizerToSubject $false -OrganizerInfo $true -DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Notes: Replace the text <CalendarResource> with the email address of a calendar resource.
- If you do not want to show the Calendar topic, change DeleteSubject $false to DeleteSubject $true.
- If you see an error such as “The operation couldn't be performed because object 'Room' couldn't be found on '[domain].onmicrosoft.com'.”, that means the scope of the role group that grants you permission to run the cmdlet does not include the user/room. Ensure you are logged in with an admin account with the permissions described in the prerequisites.
- If you see an error such as “Set-CalendarProcessing command not found”, ensure you are logged in with an admin account with the permissions described in the prerequisites.
- Validate the settings for the room after the change by executing the following command:
Get-CalendarProcessing -Identity <CalendarResource> | Format-List Identity,DeleteSubject,AddOrganizerToSubject,DeleteComments,RemovePrivateProperty
Note: Replace the text <CalendarResource> with the email address of a calendar resource.
The following settings will be set:
Identity : [domain].com/Users/CalendarResource
DeleteSubject : False
AddOrganizerToSubject : False
DeleteComments : False
RemovePrivateProperty : False - Repeat Steps 4-7 for each calendar, changing only the <CalendarResource> in each command.
- Disconnect the session with the following command:
Disconnect-ExchangeOnline - Keep the PowerShell window open for further commands.
How to prepare for calendar integration
Choosing between Application Permissions, Full Delegate Access and App-level Impersonation
In general, Zoom recommends using MS Graph API with Application Permissions, as this manner of configuration requires significantly less effort to setup and maintain on the part of the administrator, and does not require a dedicated service account. Application Permissions (also known as App-only access) is Microsoft’s recommended approach for Enterprise applications that run as background services and the data required can’t be scoped to a single user. MS Graph API with Full Delegate Access is an alternative option, but requires a dedicated service account and more effort for initial setup and maintenance. Zoom no longer recommends using Exchange Web Services (EWS) options for new deployments, due to Microsoft’s planned Retirement of RBAC Application Impersonation in Exchange Online and eventual deprecation of Exchange Web Services. Existing calendar integrations using EWS will continue to function for a period of time as outlined in Microsoft’s support pages, but Zoom recommends migrating to a new calendar integration using MS Graph API with Application Permissions.
Preparing for MS Graph API Application Permissions (recommended)
To use the MS Graph API Application Permissions integration your Zoom account must have at least one associated domain that matches a custom domain you have verified in your O365 account.
After adding the calendar service, you may optionally apply Role Based Access Control for Applications in Exchange Online.
Preparing for MS Graph API Full Delegate Access
Zoom recommends using MS Graph API with Application Permissions.
Creating a dedicated user for delegated permissions
Before you can add a calendar service using Full Delegate Access, an Office 365 administrator must create a dedicated service account user in Office 365 for the integration.
They will then use the credentials of the dedicated user to provide authorization for the Zoom Rooms in your account to use the calendar service and all of its calendar resources.
- Sign in to Office 365 as an admin.
- Add a user in your Office 365 account. See the Microsoft documentation Add users to Office 365 for instructions.
Note: the dedicated service account user must be a licensed user in Office 365 with a mailbox. - Make note of the email address and password of the dedicated service account user.
Delegate rooms to the dedicated service account user
- Start a Windows PowerShell using the “Run as administrator” option.
Note: This option is available when you right-click the Windows PowerShell app without launching it. - Enter the following command:
Connect-ExchangeOnline -UserPrincipalName <UPN>
Note: Change the value of <UPN> to the Office 365 administrator's user principal name (usually appears in the form of an email address). - Enter the Office 365 administrator username/password in the dialog box.
Make sure that this account has permissions for both “Organization Management” and “Recipient Management”. - Execute the following command to grant the dedicated service account user full delegate access to the calendar of a calendar resource:
Add-MailboxPermission -Identity CalendarResource -User DedicatedUser -AccessRights FullAccess
Note: Replace the text CalendarResource with the email address of a calendar resource. Replace the text DedicatedUser, enter with the email address of the Dedicated Service Account User. - Execute the following command to grant the dedicated service account user full delegate access to the calendar of a calendar resource:
Add-MailboxFolderPermission -Identity CalendarResource:\Calendar -User DedicatedUser -AccessRights Editor
Note: Replace the text CalendarResource with the email address of a calendar resource (but leave the “:\Calendar” text in place; example: conferenceroom@contoso.com:\Calendar). Replace the text DedicatedUser with the email address of the Dedicated Service Account User. - Repeat steps 4-5 for each room’s calendar resource.
Preparing for Exchange Web Services Full Delegate Access (legacy)
Zoom no longer recommends using Exchange Web Services (EWS) options for new deployments. Though EWS Full Delegate Access is not affected by Microsoft’s planned
Retirement of RBAC Application Impersonation in Exchange Online, the eventual
deprecation of Exchange Web Services will affect integrations using EWS Full Delegate Access. Existing calendar integrations using EWS Full Delegate Access will continue to function for a period of time as outlined in Microsoft’s support pages, but Zoom recommends migrating to a new calendar integration using MS Graph API with Application Permissions.
Creating a dedicated user for delegated permissions
Before you can add a calendar service using Full Delegate Access, an Office 365 administrator must create a dedicated service account user in Office 365 for the integration.
They will then use the credentials of the dedicated user to provide authorization for the Zoom Rooms in your account to use the calendar service and all of its calendar resources.
- Sign in to Office 365 as an admin.
- Add a user in your Office 365 account. See the Microsoft documentation Add users to Office 365 for instructions.
Note: the dedicated service account user must be a licensed user in Office 365 with a mailbox. - Make note of the email address and password of the dedicated service account user.
Delegate rooms to the dedicated service account user
- Start a Windows PowerShell using the “Run as administrator” option.
Note: This option is available when you right-click the Windows PowerShell app without launching it. - Enter the following command:
Connect-ExchangeOnline -UserPrincipalName <UPN>
Note: Change the value of <UPN> to the Office 365 administrator's user principal name (usually appears in the form of an email address). - Enter the Office 365 administrator username/password in the dialog box.
Make sure that this account has permissions for both “Organization Management” and “Recipient Management”. - Execute the following command to grant the dedicated service account user full delegate access to the calendar of a calendar resource:
Add-MailboxPermission -Identity CalendarResource -User DedicatedUser -AccessRights FullAccess
Note: Replace the text CalendarResource with the email address of a calendar resource. Replace the text DedicatedUser, enter with the email address of the Dedicated Service Account User. Replace the text CalendarResource with the email address of a calendar resource. - Execute the following command to grant the dedicated service account user full delegate access to the calendar of a calendar resource:
Add-MailboxFolderPermission -Identity CalendarResource:\Calendar -User DedicatedUser -AccessRights Editor
Note: Replace the text CalendarResource with the email address of a calendar resource (but leave the “:\Calendar” text in place; example: conferenceroom@contoso.com:\Calendar). Replace the text DedicatedUser with the email address of the Dedicated Service Account User. Replace the text CalendarResource with the email address of a calendar resource (but leave the “:\Calendar” text in place; example: conferenceroom@contoso.com:\Calendar). - Repeat steps 4-5 for each room’s calendar resource.
Preparing for Exchange Web Services App-level Impersonation (legacy)
Zoom no longer recommends using Exchange Web Services (EWS) options for new deployments, due to Microsoft’s planned
Retirement of RBAC Application Impersonation in Exchange Online and eventual
deprecation of Exchange Web Services. Existing calendar integrations using EWS will continue to function for a period of time as outlined in Microsoft’s support pages, but Zoom recommends migrating to a new calendar integration using MS Graph API with Application Permissions.
Creating a dedicated user for delegated permissions
Before you can add a calendar service using Exchange Web Services with App-level Impersonation, an Office 365 administrator must create a dedicated service account user in Office 365 for the integration.
They will then use the credentials of the dedicated user to provide authorization for the Zoom Rooms in your account to use the calendar service and all of its calendar resources.
- Sign in to Office 365 as an admin.
- Add a user in your Office 365 account. See the Microsoft documentation Add users to Office 365 for instructions.
Note: the dedicated service account user must be a licensed user in Office 365 with a mailbox. - Make note of the email address and password of the dedicated service account user.
Update role management and assignments
Note: App-level Impersonation requires the use of Exchange Web Services (EWS) - it is not supported with Microsoft Graph API.
- Start Windows PowerShell using the “Run as administrator” option.
Note: This option is available when you right-click the Windows PowerShell app without launching it. - Enter the following command:
Connect-ExchangeOnline -UserPrincipalName <UPN>
Note: Change the value of <UPN> to the Office 365 administrator's user principal name (usually appears in the form of an email address). - Enter the Office 365 administrator username/password in the dialog box.
Make sure that this account has permissions for both “Organization Management” and “Recipient Management”. - Execute the following command to create a new Management Scope restricted to calendar resources (of the types “RoomMailbox” and “EquipmentMailbox”):
New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox" -or UserPrincipalName -eq 'DedicatedUser'}
Note: Replace the text DedicatedUser with the User Principal Name of the Dedicated Service Account User (this usually matches the Dedicated Service Account User's email address). - Run the following command to create a relationship between the new Management role, the dedicated service account user, the and the new Management scope:
New-ManagementRoleAssignment -Name "ResourceImpersonation" -Role ApplicationImpersonation -User "DedicatedUser" -CustomRecipientWriteScope "ResourceMailboxes"
Note: Replace the text DedicatedUser with the email address of the Dedicated Service Account User.
How to add the Calendar Service to Zoom
Zoom recommends using a web browser in incognito or private browsing mode when authorizing the calendar integration to Office 365. This will help prevent accidentally authorizing the integration with an already signed-in Office 365 user.
- MS Graph API Application Permissions (recommended)
- MS Graph API Full Delegate Access
- EWS Full Delegate Access (legacy)
- EWS App-level Impersonation (legacy)
MS Graph API Application Permissions (recommended)
- Sign in to the Zoom web portal as a Zoom Rooms administrator.
- In the navigation menu, click Room Management then Calendar Integration.
- Click Add Calendar Service.
The Add a Calendar Service dialog will appear. - Click Office 365.
- Ensure that Authorize with OAuth 2.0 is checked.
- Configure the type of Office 365 service.
- Select Graph API.
- Under Account Permission Type, select Application Permissions.
- Click Authorize
- At the Microsoft sign-in portal, login as a Microsoft O365 Global Admin
- Click accept to grant the permissions requested by the “Zoom calendar integration using MS Graph API app permissions” application.
- After accepting, your browser will return to the Calendar Integration page and the calendar service that you added.
- If you receive an error message “The O365 account verified domains do not match any Zoom account associated domains,” ensure your Zoom account and O365 account meet the prerequisites. To use the MS Graph API Application Permissions integration your Zoom account must have at least one associated domain that matches a custom domain you have verified in your O365 account.
Note: See Add a Zoom Room for information on configuring a calendar resource with a Zoom Room.
MS Graph API Full Delegate Access
- Sign in to the Zoom web portal as a Zoom Rooms administrator.
- In the navigation menu, click Room Management then Calendar Integration.
- Click Add Calendar Service.
The Add a Calendar Service dialog will appear. - Click Office 365.
- Ensure that Authorize with OAuth 2.0 is checked.
- Configure the type of Office 365 service.
- Select Graph API.
- Under Account Permission Type, select Full Access Delegate.
- Click Authorize.
Note: If Office 365 users can consent to enterprise applications accessing company data on their behalf is disabled in Account Settings, this option will need to be enabled in the settings, or enabled for the Zoom app in Azure. - At the Microsoft sign-in portal, login as the dedicated service account user to complete the calendar integration. Do not login as yourself or another administrator or end user.
- The Calendar Integration page shows the calendar service that you added.
Note: See Add a Zoom Room for information on configuring a calendar resource with a Zoom Room.
Exchange Web Services Full Delegate Access (legacy)
- Sign in to the Zoom web portal as a Zoom Rooms administrator.
- In the navigation menu, click Room Management then Calendar Integration.
- Click Add Calendar Service.
The Add a Calendar Service dialog will appear. - Click Office 365.
- Ensure that Authorize with OAuth 2.0 is checked.
- Configure the type of Office 365 service.
- Select Exchange Web Services (EWS).
Note: If necessary, enter a non-default EWS URL. - Under Account Permission Type, select Full Access Delegate.
- Click Authorize.
Note: If Office 365 users can consent to enterprise applications accessing company data on their behalf is disabled in Account Settings, this option will need to be enabled in the settings, or enabled for the Zoom app in Azure. - At the Microsoft sign-in portal, login as the dedicated service account user to complete the calendar integration. Do not login as yourself or another administrator or end user.
- The Calendar Integration page shows the calendar service that you added.
Note: See Add a Zoom Room for information on configuring a calendar resource with a Zoom Room.
Exchange Web Services App-level Impersonation (legacy)
- Sign in to the Zoom web portal as a Zoom Rooms administrator.
- In the navigation menu, click Room Management then Calendar Integration.
- Click Add Calendar Service.
The Add a Calendar Service dialog will appear. - Click Office 365.
- Ensure that Authorize with OAuth 2.0 is checked.
- Configure the type of Office 365 service.
- Select Exchange Web Services (EWS).
Note: If necessary, enter a non-default EWS URL. - Under Account Permission Type, select App-level Impersonation.
- Click Authorize.
Note: If Office 365 users can consent to enterprise applications accessing company data on their behalf is disabled in Account Settings, this option will need to be enabled in the settings, or enabled for the Zoom app in Azure. - At the Microsoft sign-in portal, login as the dedicated service account user to complete the calendar integration. Do not login as yourself or another administrator or end user.
- The Calendar Integration page shows the calendar service that you added.
Note: See Add a Zoom Room for information on configuring a calendar resource with a Zoom Room.