2. Allow Calendar users to see Exchange availability

Before you begin

Make sure each Exchange user:

1. Has an Exchange account with an associated mailbox.
2. Doesn't have a personal Google Account using the domain name of your organization because this can create a conflicting account. To resolve issues with conflicting accounts, go to Add users with unmanaged accounts.
3. Doesn't have a Google Workspace account or has a Google Workspace account with Google Calendar turned off.

Turn on full event detail lookups

You need to set each user’s calendar visibility to Limited details (the default visibility is Availability only).

1. If you want to set the visibility for an individual mailbox, in Exchange PowerShell enter the following command:

   Set-MailboxFolderPermission -Identity (Mailbox Folder Id Parameter:\Calendar) -User Default -AccessRights LimitedDetails

2. If you want to set the visibility for all mailboxes, enter the following command:

   ForEach ($Mailbox in @(Get-Mailbox -ResultSize Unlimited)) {Set-MailboxFolderPermission –Identity (Mailbox Folder Id Parameter:\Calendar) –User Default –AccessRights LimitedDetails}

If you're using Exchange Online (Microsoft 365), you probably don't need to make any changes. Exchange Online can accept connections from the internet by default.

1. On port 443, turn on inbound internet connectivity so Google Calendar can reach the Exchange server. This step requires a valid SSL certificate issued by a trusted public internet root Certificate Authority. For details on certificates for Exchange servers, consult your Microsoft documentation.
2. If you’re blocking external incoming network traffic, add the following address ranges to your allowlist to permit requests from Calendar Interop:
   • IPv4–Add 74.125.88.0/27 to your allowlist
   • IPv6–Add the following IP blocks to your allowlist:
     • 2001:4860:4::/64
     • 2404:6800:4::/64
     • 2607:f8b0:4::/64
     • 2800:3f0:4::/64
     • 2a00:1450:4::/64
     • 2c0f:fb50:4::/64

Google Calendar uses Exchange role accounts to authenticate with your Exchange server when it looks for availability details. For an Exchange event to be visible to Google Calendar users, it must be visible to the role accounts. If you have an existing account that you use for organization-wide availability lookups from untrusted forests, you can reuse it.

To create Exchange role accounts:

1. Set the Exchange recipient type as a user mailbox account.
2. If you create multiple role accounts, use the same password for each account.
3. If you're using basic authentication for Exchange, it's recommended that you turn off password expiration for the role account to avoid service disruption.

For more information on creating user mailboxes in an Exchange server and Exchange recipient types, consult your Microsoft documentation.

Complete this step if you're using Exchange Online (Microsoft 365). If you're using other versions of Exchange, skip to step 5.

Set up the Microsoft Azure portal

1. Register Calendar Interop in the Azure portal.

   For details, go to Microsoft’s Register an application.

2. When you register the application, leave the Supported account types and Redirect URI values at their default settings.
3. Note the application (client) ID as you need it later to set up OAuth 2.0 authentication in Google Workspace. The value is not displayed again once you leave this page.
4. Enter a client secret to set the application's credentials. For details, go to Microsoft's Add a client secret.

   If the client secret expires, calendar availability lookups from Google Calendar to Exchange Online stop working. To avoid this scenario, periodically reconfigure the client secret.

5. Click API permissionsAPIs my organization uses and, in the search box, enter Office 365 Exchange Online and press Enter.
6. Click Office 365 Exchange OnlineApplication permissions and check full_access_as_app. For details, go to Microsoft's Add permissions to access your web API.

   Tip: You can limit permissions to specific mailboxes. For details, go to Microsoft's Limiting application permissions to specific Exchange Online mailboxes.

7. Click Grant admin consent.

Locate & save the OAuth 2.0 token endpoint (v2)

1. Follow the steps in Microsoft's How to discover endpoints.

   The endpoint looks like https://login.microsoftonline.com/tenant/oauth2/v2.0/token where tenant is the friendly domain name of the Azure Active Directory tenant or the tenant's GUID.

2. Record the OAuth 2.0 token endpoint.

   You need it later to set up OAuth 2.0 authentication in Google Workspace.

1. Sign in to your Google Admin console.

   Sign in using an account with super administrator privileges (does not end in @gmail.com).

2. In the Admin console, go to Menu  AppsGoogle WorkspaceCalendar.
3. Click Calendar Interop management.
4. Check Enable Interoperability for Calendar.
5. For Type, select Exchange Web Services (EWS).
6. For Exchange Web Services URL, enter the URL of the default Exchange Web Services server endpoint associated with your Exchange server.

   For details, go to Find EWS server endpoint URL (below on this page).

7. For Exchange Role Accounts, enter the primary SMTP addresses of the Exchange role accounts in the username1@example.com format.

   If you're using more than one role account, separate the accounts with a comma.

8. Select your authentication method: Basic authentication or OAuth 2.0 client credentials.
9. Do one of the following actions:
   • When using Basic authentication for Exchange, follow these steps:
     1. Click Enter Password and enter the password for the Exchange role account or accounts.
     2. Reenter the password to confirm.
   • When using OAuth 2.0 for Exchange Online, follow these steps:
     1. For Token endpoint URL, enter the OAuth 2.0 token endpoint URL from your Azure tenant. Learn more
     2. For Application (client) ID, enter the Application ID assigned to your app during app registration.
     3. For Client secret, enter the value from the client secret assigned to your app during app registration.
10. (Optional) To add more Exchange endpoints, follow these steps:
    1. Under Additional Exchange endpoints, click Add New.
    2. Repeat steps 6–9 for each additional endpoint you’d like to add.

       Each new endpoint must have a unique domain not already used by a previously added endpoint (for example, if your organization has multiple subsidiaries or if you want to share calendar availability between trusted external partners).

11. (Optional) Select the level of detail to share:
    • Check Show event details to view event details (title, location, and so on) from Exchange and Calendar.
    • Check Room booking to schedule Exchange rooms from Calendar. You must also follow the setup steps under Allow Calendar users to book Exchange resources.
    • All Exchange endpoints respect the shared level of details.
12. Click Save

Find EWS server endpoint URL

The URL of the EWS server endpoint is the same as the URL for the Exchange server where you created the role accounts.

Examples:

• https://Exchange server hostname/ews/exchange.asmx (EWS server)
• https://outlook.office365.com/ews/exchange.asmx (Exchange Online)

To verify the URL for an on-premises Exchange server, open Exchange PowerShell and enter the following command:

Get-WebServicesVirtualDirectory | Select name, *url* | fl

If the result returns multiple URLs, use the result for ExternalUrl.

If you have multiple Exchange servers under the same domain (for example, you're using a hybrid Exchange environment) and you want to view the availability of Exchange users in your entire environment, make sure the URL is from a server that can access availability for all Exchange users.