In this article, you will learn how to block Microsoft Bookings Access in Tenant.
Microsoft Bookings, An appointment platform recently introduced by Microsoft for enterprise customers globally. As tenant Admins, we should know how to manage Microsoft Bookings access for users in the tenant and provide required access to specific users while blocking it for the rest.
Before getting into the details, Those who already implemented MS Bookings at the initial phase are aware that “Business Apps” with Bookings add-on was required and we need to purchase free licenses in the “Business Apps” service to assign the Microsoft Bookings license to the users.
While it might sound confusing, people who are associated with Microsoft from a while now will understand this. Microsoft generally launches the apps and services through an add-on for testing and implementation, needless to mention, checking the demand of the product as well. Which later gets integrated as a part of licensing service. Below is a notification from Microsoft that we received in around mid of March 2020.
Important: These steps only apply to Microsoft 365 subscriptions that are purchased directly by customers. Beginning mid-May, 2020, the add-on process will be removed and Bookings will be available as on by default to Office 365 Enterprise E3 and Office 365 Enterprise E5 customers. Once that change occurs, follow the instructions in the “Access Microsoft Bookings” and “Turn On/Off Access to Microsoft Bookings” section of this page.
Source: https://support.microsoft.com/en-us/office/get-access-to-microsoft-bookings-5382dc07-aaa5-45c9-8767-502333b214ce
With the huge success and demand of Microsoft Bookings, it’s now directly added to various licenses (Enterprise Exchange, E3, E5, etc.) as an app/service.
We no longer need the “Business App” to assign a Bookings license. Below is the snapshot from my test tenant for one of the users to show how it should look now-
Now coming back to restricting the access of MS Bookings for users in the tenant, we will quickly understand, as Admin, why you wish to do this and the steps to implement –
Why do we need to Block Microsoft Bookings Access?
With Microsoft Bookings License, the users will not only have the capability to access other Microsoft Bookings Calendar but also create new Microsoft Bookings Calendar of their own.
Please note that Microsoft Bookings Calendar is generally created for an entire business to align available resources towards the customer requirement. As an Admin, we should prevent every user from creating the Microsoft Bookings Calendar.
We already understood the importance of preventing users from creating the Microsoft Bookings calendar, let’s discuss how it can be implemented on a tenant level.
Below are two possible ways to do that :
Method 1: Customizing Licensing
- Implementing a Group-based licensing option in Azure for new users to disable Microsoft Bookings App (Azure)
- Assigning the Custom licenses to the users in tenant by creating a licensing option with disabled Microsoft Bookings App (Only be implemented in Powershell scripting – Please refer to my other blog on how to implement the custom licensing or MS article “Disable access to Microsoft 365 services with PowerShell” https://docs.microsoft.com/en-us/office365/enterprise/powershell/disable-access-to-services-with-office-365-powershell)
Method 2: Using OWA mailbox policy
I will discuss the second method with the implementation of the changes in the OWA mailbox policy. In this method, we Disable the Microsoft Bookings Mailbox Creation in the OWA Mailbox policy and applying that to respective users.
Below are the steps to implement this with Powershell
1. Connect to Exchange Online Powershell
2. Create a new OWA mailbox policy
New-OwaMailboxPolicy -Name DisableBookingsMailboxCreation3. Disable Bookings Mailbox Creation for this OWA mailbox policy
Set-OwaMailboxPolicy -Identity DisableBookingsMailboxCreation -BookingsMailboxCreationEnabled $false4. Please verify the changes made in the policy
Get-OwaMailboxPolicy -Identity DisableBookingsMailboxCreation | Select BookingsMailboxCreationEnabled5. Assign this policy to the users that you want to prevent from creating a new Bookings Calendar in the tenant. We can assign the policy through Powershell as well as GUI.
I have implemented this of one test user in my tenant, below is how the expected behavior should be –
Set-CASMailbox -Identity [email protected] -OwaMailboxPolicy "DisableBookingsMailboxCreation"6. User should get below error –
“You do not have access to create a new Booking Calendar. Contact your administrator to enable access”
Below is the view from my powershell for the entire implementation –
PS C:\WINDOWS\system32> New-OwaMailboxPolicy -Name DisableBookingsMailboxCreation
Creating a new session for implicit remoting of "New-OwaMailboxPolicy" command...
RunspaceId : xxxxxxxxxxxx
WacEditingEnabled : True
PrintWithoutDownloadEnabled : True
OneDriveAttachmentsEnabled : True
ThirdPartyFileProvidersEnabled : False
AdditionalStorageProvidersAvailable : True
ClassicAttachmentsEnabled : True
ReferenceAttachmentsEnabled : True
SaveAttachmentsToCloudEnabled : True
InternalSPMySiteHostURL :
ExternalSPMySiteHostURL :
ExternalImageProxyEnabled : True
NpsSurveysEnabled : True
MessagePreviewsDisabled : False
PersonalAccountCalendarsEnabled : True
TeamsnapCalendarsEnabled : True
BookingsMailboxCreationEnabled : True
DirectFileAccessOnPublicComputersEnabled : True
DirectFileAccessOnPrivateComputersEnabled : True
WebReadyDocumentViewingOnPublicComputersEnabled : True
WebReadyDocumentViewingOnPrivateComputersEnabled : True
ForceWebReadyDocumentViewingFirstOnPublicComputers : False
ForceWebReadyDocumentViewingFirstOnPrivateComputers : False
WacViewingOnPublicComputersEnabled : True
WacViewingOnPrivateComputersEnabled : True
ForceWacViewingFirstOnPublicComputers : False
ForceWacViewingFirstOnPrivateComputers : False
ActionForUnknownFileAndMIMETypes : Allow
WebReadyFileTypes : {}
WebReadyMimeTypes : {}
WebReadyDocumentViewingForAllSupportedTypes : True
WebReadyDocumentViewingSupportedMimeTypes : {application/msword, application/vnd.ms-excel, application/x-msexcel, application/vnd.ms-powerpoint...}
WebReadyDocumentViewingSupportedFileTypes : {.doc, .dot, .rtf, .xls...}
AllowedFileTypes : {}
AllowedMimeTypes : {}
ForceSaveFileTypes : {}
ForceSaveMimeTypes : {}
BlockedFileTypes : {}
BlockedMimeTypes : {}
PhoneticSupportEnabled : False
DefaultTheme :
IsDefault : False
DefaultClientLanguage : 0
LogonAndErrorLanguage : 0
UseGB18030 : False
UseISO885915 : False
OutboundCharset : AutoDetect
GlobalAddressListEnabled : True
OrganizationEnabled : True
ExplicitLogonEnabled : True
OWALightEnabled : True
DelegateAccessEnabled : True
IRMEnabled : True
CalendarEnabled : True
ContactsEnabled : True
TasksEnabled : True
JournalEnabled : True
NotesEnabled : True
OnSendAddinsEnabled : False
RemindersAndNotificationsEnabled : True
PremiumClientEnabled : True
SpellCheckerEnabled : True
SearchFoldersEnabled : True
SignaturesEnabled : True
ThemeSelectionEnabled : True
JunkEmailEnabled : True
UMIntegrationEnabled : True
WSSAccessOnPublicComputersEnabled : True
WSSAccessOnPrivateComputersEnabled : True
ChangePasswordEnabled : True
UNCAccessOnPublicComputersEnabled : True
UNCAccessOnPrivateComputersEnabled : True
ActiveSyncIntegrationEnabled : True
AllAddressListsEnabled : True
RulesEnabled : True
PublicFoldersEnabled : True
SMimeEnabled : True
RecoverDeletedItemsEnabled : True
InstantMessagingEnabled : True
TextMessagingEnabled : True
ForceSaveAttachmentFilteringEnabled : False
SilverlightEnabled : True
InstantMessagingType : None
DisplayPhotosEnabled : True
SetPhotoEnabled : True
AllowOfflineOn : AllComputers
SetPhotoURL :
PlacesEnabled : True
WeatherEnabled : True
LocalEventsEnabled : False
InterestingCalendarsEnabled : True
AllowCopyContactsToDeviceAddressBook : True
PredictedActionsEnabled : False
UserDiagnosticEnabled : False
FacebookEnabled : True
LinkedInEnabled : True
WacExternalServicesEnabled : True
WacOMEXEnabled : False
ReportJunkEmailEnabled : True
GroupCreationEnabled : True
SkipCreateUnifiedGroupCustomSharepointClassification : True
WebPartsFrameOptionsType : SameOrigin
UserVoiceEnabled : True
SatisfactionEnabled : True
FreCardsEnabled : True
ConditionalAccessPolicy : Off
ConditionalAccessFeatures : {}
OutlookBetaToggleEnabled : True
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : DisableBookingsMailboxCreation
DistinguishedName : CN=DisableBookingsMailboxCreation,CN=OWA Mailbox Policies,CN=Configuration,CN= xxxxx,CN=ConfigurationUnits,DC= xxxxx,DC=PROD,DC=OUTLOOK,DC=COM
Identity : DisableBookingsMailboxCreation
ObjectCategory :xxxxx.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-OWA-Mailbox-Policy
ObjectClass : {top, msExchRecipientTemplate, msExchOWAMailboxPolicy}
WhenChanged : 7/24/2020 9:38:36 AM
WhenCreated : 7/24/2020 9:38:36 AM
WhenChangedUTC : 7/24/2020 4:08:36 AM
WhenCreatedUTC : 7/24/2020 4:08:36 AM
ExchangeObjectId : xxxxxxxxxxxxxxxxxxxxx
OrganizationId : xxxxxxxxxxxxxxxxxxxxx
Id : DisableBookingsMailboxCreation
Guid : xxxxxxxxxxxxxxxx
OriginatingServer : xxxx.xxxxPROD.OUTLOOK.COM
IsValid : True
ObjectState : Unchanged
PS C:\WINDOWS\system32> Set-OwaMailboxPolicy -Identity DisableBookingsMailboxCreation -BookingsMailboxCreationEnabled $false
PS C:\WINDOWS\system32> Get-OwaMailboxPolicy -Identity DisableBookingsMailboxCreation | Select BookingsMailboxCreationEnabled
BookingsMailboxCreationEnabled
------------------------------
False
PS C:\WINDOWS\system32> I hope this helps!
Targeting the Tenant Admins and specific to MS Bookings, I have not included more details on scripting and bulk user implementation. Please refer to my other post on Creating and Assigning Custom licensing Options in Microsoft Office 365
You can also refer to the below Microsoft Articles for similar details –
Get access to Microsoft Bookings (https://support.microsoft.com/en-us/office/get-access-to-microsoft-bookings-5382dc07-aaa5-45c9-8767-502333b214ce )
Please feel free to comment if you need additional information and I will update the content accordingly.
Thank you so much AMOL! This article has helped our organisation a great deal to stop the wild growth of Booking pages!
Thank you so much for this article! If we wanted to implement Bookings to all our A3 licences users (14,000+), but block the ability for them to create booking calendars themselves and restrict the creation to a very small subset of users – how would you best approach this?
Maybe this way: https://docs.microsoft.com/en-GB/microsoft-365/bookings/turn-bookings-on-or-off?view=o365-worldwide#allow-only-selected-users-to-create-bookings-calendars
Just to add:
#First compare policies
$a = Get-OwaMailboxPolicy “OwaMailboxPolicy-Default”
$b = Get-OwaMailboxPolicy “Custom-BookingsCreators”
Compare-ObjectProperties -ReferenceObject $a -DifferenceObject $b
#Then perform the changes, in my case it was:
$DefaultPropertiesToCopy = (“AllowedFileTypes”,`
“BlockedFileTypes”,`
“BlockedMimeTypes”,`
“ChangePasswordEnabled”,`
“ForceSaveFileTypes”,`
“ForceSaveMimeType”,`
“InstantMessagingType”,`
“LinkedInEnabled”,`
“WSSAccessOnPrivateComputersEnabled”,`
“WSSAccessOnPublicComputersEnabled”`
)
$DefaultPolicyName = “OwaMailboxPolicy-Default”
$CustomPolicyName = “Custom-BookingsCreators”
ForEach ($Property in $DefaultPropertiesToCopy) {
Write-Host $Property -ForegroundColor Green
$DefaultValue = (Get-OwaMailboxPolicy $DefaultPolicyName).$Property
$parameters = @{$Property = $DefaultValue}
Set-OwaMailboxPolicy $CustomPolicyName @parameters
}
hi i tried method 1 but it does not prevent access to the published site it only blocks the creation of a new booking
is there any way to prevent access to the published site in the organization ?