Skip to content

How to Configure an Impersonating Service Account

Office 365

 

Tip

See this article to learn how to set up Impersonation in case your company uses an MS Exchange mail server

 

 

Enabling MS Exchange Impersonation for the end users consists of three stages:

I. Configure a Service Account and Apply it for RI end users as described in this article, Method 1

II. Verify the Configuration as described in this article

III. Configure Exchange Impersonation in Revenue Inbox Admin panel (described in a separate KB article)

 

 

Step I: Configure a Service Account and Apply it for RI end users

Note

Method 1 described in this article is the recommended one, while Methods 2 and 3 provided in a separate article are only used in specific configuration

 

The Impersonation feature is available for Microsoft Exchange Server 2013-2019 and MS Office 365 plan E3-E5. In order to set up Application Impersonation via Exchange Admin Center, the following steps should be performed.

The prerequisite is having a dedicated MS Exchange mailbox used only as an impersonating service account for Revenue Inbox, it should have no other mailing functions. You could call the account MasterImpersonation, for example. See this Microsoft article to learn how to create one.

Note

The Impersonation Service email account requires a dedicated MS Exchange / Office 365 mailbox license and does not require an additional Revenue Inbox license

 

 

1. Create a Group that Includes All RI End Users’ accounts

Depending on your Org’s configuration, you may use A) a Distribution group or B) a Mail-enabled security group list.

 

A. To create a Distribution group

1.1. Log in to your Org’s Exchange Admin Center with admin credentials. This works for both MS Exchange mail accounts and Office 365 mail accounts with enabled Exchange Online

1.2. Select Groups > Active groups in the navigation pane on the left and then click Add a group in the right-hand pane

>>> Click to see a screenshot <<<

 

1.3. Select Distribution under Choose a group type and click Next

>>> Click to see a screenshot <<<

 

1.4. Enter group Name and optionally a Description, to be able to identify it

>>> Click to see a screenshot <<<

 

1.5. Specify the group’s settings: set its Email address and configure membership rules according to your corporate policies

>>> Click to see a screenshot <<<

 

1.6. Review the group’s configuration and click Create a group

>>> Click to see a screenshot <<<

 

1.7. Close the dialog

>>> Click to see a screenshot <<<

 

Alternatively,

 

B. To create a Mail-enabled security group instead

1.1. Log in to your Org’s Exchange Admin Center with admin credentials. This works for both MS Exchange mail accounts and Office 365 mail accounts with enabled Exchange Online
 

1.2. Select Groups > Active groups in the navigation pane on the left and then click Add a group in the right-hand pane

>>> Click to see a screenshot <<<

 

1.3. Select Mail-enabled security under Choose a group type and click Next

>>> Click to see a screenshot <<<

 

1.4. Enter group Name and optionally a Description, to be able to identify it

>>> Click to see a screenshot <<<

 

1.5. Specify the group’s settings: set its Email address and configure Communication and Approval rules according to your corporate policies

>>> Click to see a screenshot <<<

 

1.6. Review the group’s configuration and click Create a goup

>>> Click to see a screenshot <<<

 

1.7. Close the dialog

>>> Click to see a screenshot <<<

     

2. Set the Users Group and Apply Impersonation

2.1. Open Windows PowerShell and connect to Exchange Online

In PowerShell, load the EXO V2 module by running the following command:

Import-Module ExchangeOnlineManagement 

 

Note

If the ExchangeOnlineManagement module does not exist then install the EXO V2 module first

 

The command that you need to run next uses the following syntax:

Connect-ExchangeOnline -UserPrincipalName <UPN> -ShowProgress $true [-ExchangeEnvironmentName <Value>] [-DelegatedOrganization <String>] [-PSSessionOption $ProxyOptions]

 

This sample cmdlet connects to Exchange Online PowerShell in a Microsoft 365 or Microsoft 365 GCC organization:

Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowProgress $true

 

>>> Click to see a screenshot <<<

 

2.2. The next step depends on whether you configured A) Distribution group or B) a Mail-enabled security group list on Step 2:

 

For case A: Distribution group, enter the following lines in PowerShell one after another, replacing the placeholder values in { } with your actual values:

$groupidentity = $(Get-DistributionGroup {Replace this with the alias of your Distribution group}).DistinguishedName
New-ManagementScope –Name:"{Replace this with the Name of Scope}" –RecipientRestrictionFilter "MemberOfGroup -eq '$groupidentity'"

 

>>> Click to see a screenshot <<<

 

or

 

For case B: Mail-enabled security group, enter the following lines in PowerShell one after another, replacing the placeholder values in { } with your values:

$groupidentity = $(Get-Group {Replace this with the alias of your mail-enabled security group}).DistinguishedName
New-ManagementScope -Name:"{Replace this with the Name of Scope}" -RecipientRestrictionFilter "MemberOfGroup -eq '$groupidentity'"

 

>>> Click to see a screenshot <<<

 

2.3. After that, return to MS Exchange Admin Center and open the Roles tab and then Admin Roles in the navigation pane on the left, then click the Add role group button at the top of the right-hand pane

>>> Click to see a screenshot <<<

 

2.4. In the Add role group dialog that appears, enter the role group’s Name and set the RIusersScope group that you configured on Step 2.2. in the Write scope field

Note

If you set the Default Write scope, Impersonation will be applied for all user accounts in the Org

 

>>> Click to see a screenshot <<<

 

2.5. Next, select ApplicationImpersonation under Roles:

>>> Click to see a screenshot <<<

 

2.6. Add members under Assign admins:

>>> Click to see a screenshot <<<

 

2.7. Finally, review the configuration and click the Add role group button at the bottom of the dialog to finish

>>> Click to see a screenshot <<<

 

 


 

 

Step II: Verify the Configuration

Next, you need to test the configured Impersonating account using Microsoft Remote Connectivity Analyzer online tools:

1. Open the link https://testconnectivity.microsoft.com
2. Select Service Account Access (Developers)

>>> Click to see a screenshot <<<

 

3. Fill in the details for connecting to the service account:

4. Target Mailbox address: enter the service account’s email address

5. Service Account user name: enter the account’s name using the {domain}\{user name} or {user}@{domain} format

6. Service Account password and Confirm password fields: enter the service account’s password two times

Note

Security of tested account’s credentials entered is guaranteed by Microsoft

 

7. If you are using an Exchange Web Services URL, click on β€œSpecify Exchange Web Services URL” and enter the URL, otherwise MS Remote Connectivity Analyzer will try to discover your EWS URL automatically

8. In the Test predefined folder field, leave the default value (β€œInbox”)

9. Select Use Exchange Impersonation and under Impersonated user enter the email address of any user from the impersonated emails list

10. If necessary in your configuration, select Ignore Trust for SSL

11. Read and confirm the β€œI understand …” section and enter the CAPTCHA to verify that you’re not a robot

>>> Click to see a screenshot <<<

 

12. Click Perform test and check the test results to see if the Impersonated account works

 

 


 

 

Step III: Configure Impersonation in Revenue Inbox Admin panel

Next, proceed to the steps provided in this article to configure the Sync Engine to operate via the Impersonation account.