EWS Free Area

.

Cross Forest Free / Busy in Exchange Server Environment via Federation Trust

, ,

In one of our previous posts, we discussed Free / Busy and how to configure availability between Exchange Organizations located in different Active Directory forests.  To make Free / Busy information available, you can configure Federation Trust or Availability Service for cross-forest communication.

As configuration via availability service is already covered here, in this post we will talk about Federation Trust.

Configuration process

Configuration of federation sharing described here and consists from following steps:

1.      Create and configure a federation trust.

federation trust is a trust relationship between a Microsoft Exchange organization and the Microsoft Entra authentication system. It enables federated sharing with other federated Exchange organizations to share calendar free/busy information among recipients.

That means, that your Exchange Servers should be published to internet. Compared to configuration via availability service, this option doesn’t require GAL Sync. Of cause, it’s more convenient when you can search in your GAL to find corresponding recipient, but if you know some specific address and type it in scheduling assistant you will be able to view Free / Busy information.

Below you can see that Free / Busy information is displayed both for addresses with or without mail enabled object in GAL:

You can use EAC or powershell to configure federation trust. This process is well documented in official article and we also already discussed that in this blog post.

2.      Create an organization relationship.

An organization relationship enables users in your Exchange organization to share calendar free/busy information as part of federated sharing with other federated Exchange organizations. For detailed instructions, see Create an organization relationship.

This example attempts to automatically discover configuration information from the external Exchange organization Contoso.com by using the domain names provided in the Get-FederationInformation cmdlet.

Get-FederationInformation -DomainName Contoso.com | New-OrganizationRelationship -Name “Contoso” -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails

FreeBusyAccessLevel parameter specifies the maximum amount of detail returned to the requesting organization. Valid values are:

  • None: No free/busy access.
  • AvailabilityOnly: Free/busy access with time only.
  • LimitedDetails: Free/busy access with time, subject, and location.

3. Create a sharing policy.

Sharing policies enable user-established, people-to-people sharing of calendar information with different types of external users. They support the sharing of calendar and contact information with external federated organizations, external non-federated organizations, and individuals with Internet access. If you don’t need to configure people-to-people or contact sharing (organization-level sharing only), you don’t need to configure a sharing policy. For detailed instructions, see Create a sharing policy.

You can use EAC or powershell to create a sharing policy.

New-SharingPolicy -Name “Contoso” -Domains contoso.com: CalendarSharingFreeBusyDetail

The Domains parameter specifies the domains and the associated sharing options for those domains in the sharing policy. Values for this parameter use the basic syntax: ‘Domain: SharingPolicyAction’.

You can use the following values for Domain:

  • A domain: For example, mail.contoso.com. A domain doesn’t include subdomains. You must configure each subdomain separately.
  • *: Share with external federated organizations. For example, another Microsoft 365 organization or an on-premises Exchange organization.
  • Anonymous: Share with external, non-federated organizations and individuals with internet access.

You can use the following values for SharingPolicyAction:

  • CalendarSharingFreeBusySimple: Share free/busy hours only
  • CalendarSharingFreeBusyDetail: Share free/busy hours, subject and location
  • CalendarSharingFreeBusyReviewer: Share free/busy hours, subject, location and the body of the message or calendar item
  • ContactsSharing: Share contacts only

You can set new sharing policy as default:

Set-SharingPolicy “Contoso”  -Default $true

Or associate it with specific mailboxes:

Set-mailbox room2 -SharingPolicy “Contoso” 

Delegation and per-user Availability

After you’ve configured all required steps, user from one organization should see availability of user from other organization. By default you would see, that only information about the fact of availability can be seen, no information about subject, organizer and etc., because we’re fallen under default permission level:

It wasn’t clear to me, what in this case organization relationship and sharing policy limitations are about. But it looks like they just define a maximum level of available information the user can provide for others. For example, by changing the default permission level.

According to Web Services logs, availability requests coming from federated organization doesn’t contain any information regarding user, who’s asking this information. This is not like that, when you configure availability service with per-user availability and Active Directory trusts, as it was discussed in previous blog post. Configuring federation trust between Exchange organizations looks easier, but you need to pay for that with limited functionality in per-user delegation.

Unfortunately you cannot configure both options and keep them in parallel, to get the best of 2 worlds  – be possible to get Free / Busy information for users, who are not located in GAL, and provide per-user delegation for contacts that are created with corresponding properties. Although I’ve didn’t test this option, we discussed that with some members of Exchange support, and that was our conclusion – you need to choose one option, that is more appropriate for you.

Another point discussed in previous blog post – calendar delegation. When user wants to open calendar from another organization, has appropriate permissions for that and able to edit and respond to meetings as delegate. In that case Outlook connects to mailbox in another organization directly, it works with cross-forest trusts and properly created object in another organization. That might work even if you have federation sharing only configured. And at least one of my customers tested it. But as this scenario is not described officially in any Microsoft documentation, I would recommend to test it carefully and preferably contact Microsoft support to get their current opinion on supportability of that configuration.

Summary

  1. You can configure availability service for cross-forest environment to exchange Free / Busy availability information between Exchange Organizations (works for Outlook and OWA clients). That option, together with Active Directory trusts can provide per-user availability (i.e. delegated extended information to specific users). But requires GAL synchronization. That can be complicated, if the organization doesn’t have any GAL sync solution at the moment.

That doesn’t require access to internet, but there should be appropriate network access between servers in cross-forest organizations.

2. Federation sharing is easier to configure, doesn’t require GAL sync, but requires internet access.

It’s not possible to configure per-user availability in the same way provided by option 1.

3. Knowing this, every organization can choose appropriate option to configure availability.

For more information about availability service and space:

Cross Forest Free / Busy in Exchange Server Environment via Availability Address Space and Calendar Delegation

End.

Leave a comment