{"id":1366,"date":"2016-03-29T17:56:22","date_gmt":"2016-03-29T22:56:22","guid":{"rendered":"http:\/\/osric.com\/chris\/accidental-developer\/?p=1366"},"modified":"2016-11-02T16:05:48","modified_gmt":"2016-11-02T21:05:48","slug":"freebusy-time-segmentation-in-exchange-online","status":"publish","type":"post","link":"https:\/\/osric.com\/chris\/accidental-developer\/2016\/03\/freebusy-time-segmentation-in-exchange-online\/","title":{"rendered":"Free\/Busy Time Segmentation in Exchange Online"},"content":{"rendered":"

By default, all users in the same Exchange Online environment can view each other’s free\/busy time. Using the Organization–Sharing<\/em> settings you can share more information, but not less.<\/p>\n

\"Exchange<\/a>
Unchecking the ‘Share your calendar folder’ box does not turn off calendar sharing. Counterintuitive!<\/figcaption><\/figure>\n

Individuals can adjust their own free\/busy time sharing in Outlook or Outlook Web App (OWA). But what if you have less-privileged users who should not be able to view another user’s free\/busy time, for example, temporary employees or contract workers? Can they be restricted from viewing calendar information for other users?<\/p>\n

It can be done, but it’s not simple.<\/p>\n

My 3-part approach, summarized:<\/strong><\/p>\n

    \n
  1. Change each user’s sharing settings for the Default user to None via PowerShell<\/li>\n
  2. Create a mail-enabled universal security group containing all privileged users. (Fortunately, this group already existed within my organization.)<\/li>\n
  3. Change each user’s sharing settings for the security group created above to AvailabilityOnly via PowerShell (to allow just Free\/Busy visibility)<\/li>\n<\/ol>\n

    I found Add Calendar Permissions in Office 365 via Powershell<\/a>, which was a tremendous help in discovering the format of the calendar folder. For example, to adjust the Default user’s access to chris@example.com’s calendar to None, use the following PowerShell command:
    \nSet-MailboxFolderPermission -Identity chris@example.com:\\calendar -user Default -AccessRights None<\/code><\/p>\n

    Then I tried to add permissions for the security group:
    \n$mycal = 'chris@example.com:\\calendar'
    \nSet-MailboxFolderPermission -Identity $mycal -User privileged-users-security-group@example.com -AccessRights AvailabilityOnly<\/code><\/p>\n

    Error:<\/strong>
    \nThere is no existing permission entry found for user: privileged-users-security-group.
    \n + CategoryInfo : NotSpecified: (:) [Set-MailboxFolderPermission], UserNotFoundInPermissionEntryException
    \n + FullyQualifiedErrorId : [Server=BLUPR0101MB1603,RequestId=d057882d-5663-417d-a614-ce73e5ab0565,TimeStamp=3\/15\/20
    \n 16 3:41:20 PM] [FailureCategory=Cmdlet-UserNotFoundInPermissionEntryException] B65CA2A0,Microsoft.Exchange.Managem
    \n ent.StoreTasks.SetMailboxFolderPermission
    \n + PSComputerName : ps.outlook.com<\/code><\/p>\n

    Thanks to Setup secretary permissions to manage Calendar in Office 365<\/a>, I discovered that the above error occurred because the security group had no current settings for the specified calendar. In that case, the Add-MailboxFolderPermission<\/code> is the appropriate command:<\/p>\n

    Add-MailboxFolderPermission -Identity $mycal -User privileged-users-security-group@example.com -AccessRights AvailabilityOnly<\/code><\/p>\n

    Before running this across all of our users, I wanted to find out which users had customized their free\/busy sharing settings. If they had customized them, I wanted to preserve their settings. For example, I decided to get the Default user sharing settings for the sales department users’ calendars:<\/p>\n

    $DeptMailboxes = Get-Mailbox -Filter {CustomAttribute2 -eq 'sales'}
    \nForEach ($Mailbox In $DeptMailboxes) { $Calendar = $Mailbox.UserPrincipalName + \":\\calendar\"; Get-MailboxFolderPermission -Identity $Calendar -User Default}<\/code><\/p>\n

    Unfortunately, the above did not return all of the properties needed to identify the calendars in question:
    \nCalendar Default {AvailabilityOnly}
    \nCalendar Default {LimitedDetails}
    \nCalendar Default {AvailabilityOnly}
    \nCalendar Default {AvailabilityOnly}<\/code><\/p>\n

    I specified a list of properties that was more useful:
    \nForEach ($Mailbox In $DeptMailboxes) { $Calendar = $Mailbox.UserPrincipalName + \":\\calendar\"; Get-MailboxFolderPermission -Identity $Calendar -User Default | Select Identity,FolderName,User,AccessRights }<\/code><\/p>\n

    Fortunately, only a handful of the users in my organization had customized their sharing settings, so I simply noted their settings and re-applied them after running these settings across all users in the organization:<\/p>\n

    $AllMailboxes = Get-Mailbox
    \nForEach ($Mailbox In $AllMailboxes) { $Calendar = $Mailbox.UserPrincipalName + \":\\calendar\"; Set-MailboxFolderPermission -Identity $Calendar -User Default -AccessRights None; Add-MailboxFolderPermission -Identity $Calendar -User privileged-users-security-group@example.com -AccessRights AvailabilityOnly }<\/code><\/p>\n

    This achieved the desired free\/busy time segmentation. However, there’s one snag: what happens when new users are added? They will have the default sharing settings. That means that every time a new user is added, these steps will need to be run for that new user. I created the following PowerShell script — I can pipe the results of Get-Mailbox<\/code> to this script to apply the customizations described above:<\/p>\n

    param(  \r\n    [Parameter(\r\n        Position=0, \r\n        Mandatory=$true, \r\n        ValueFromPipeline=$true,\r\n        ValueFromPipelineByPropertyName=$true)\r\n    ]\r\n    [Object[]]$Mailbox\r\n)\r\n\r\nProcess {\r\n    $Calendar = $Mailbox.UserPrincipalName + \":\\calendar\"\r\n    Set-MailboxFolderPermission -Identity $Calendar -User Default -AccessRights None\r\n    Add-MailboxFolderPermission -Identity $Calendar -User 'privileged-users-security-group@example.com' -AccessRights AvailabilityOnly\r\n}<\/code><\/pre>\n
    To run the script (assuming it is named Set-CustomFreeBusySharing.ps1):
    \nGet-Mailbox -Identity bob@example.com | .\/Set-CustomFreeBusySharing.ps1<\/code><\/p>\n
    Fully integrating that into my account creation process is a job for another day.<\/p>\n
    One other thing to note: users can still choose to modify their free\/busy sharing with the Default user, in case they do want\/need to share their availability with all users in the organization.<\/p>\n
    Other sites that had useful information while I researched this issue:<\/p>\n