Skip to content

How to Create an Impersonating Service Account

Office 365

Enabling MS Exchange Impersonation in Revenue Inbox consists of three steps:

I. Configure a Service Account and Apply it for RI end users (described in this article)

II. Verify the Configuration (described in this article)

III. Configure Exchange Impersonation in Revenue Inbox’s Admin panel (described in a separate KB article)

 

 

Step I: Configure a Service Account and Apply it

 

Setup Method 1: via Exchange Admin Center

The Impersonation feature is available for Microsoft Exchange Server 2010-2019 and Microsoft Office 365 plan E3. In order to set up Application Impersonation via Office 365 Exchange Admin Center, the following steps should be performed.

1. Login to Office 365 Exchange Admin Center https://outlook.office365.com/ecp/ with Admin credentials

>>> Click to see a screenshot <<<

 

1. Create a Distribution group containing RI end users accounts

1.1. Log in to your Org’s Exchange Admin Center with admin credentials. This works for both MS Exchange mail accounts and Office 365 mail accounts with enabled Exchange Online

 

1.2. Select recipients in the navigation pane on the left and then click groups in the right-hand pane

 

1.3. Click on the + (Add) icon and select Distribution group

 

1.4. Enter a Display name and an Alias for users group identification

 

1.5. After that, scroll down and click the + (Add) icon under Members:

 

1.6. In the dialog that appears, click the πŸ” (Search) icon and enter part of an end user’s name, then select a Revenue Inbox user you want to authorize in the list and click the button add - > underneath

 

 

1.7. Add all other Revenue Inbox users to the group in the same manner and then click OK

 

1.7. Apply the changes in the distribution group by clicking Save at the bottom of the pane

 

 

2. Set the Users Group and Apply Impersonation

2.1. Open the Exchange Management Shell. You can launch it quickly by pressing the Windows hotkey and then searching for exchange in the search apps field

 

2.2. Enter the following line in Exchange Management Shell console one by one:

$groupidentity = $(Get-DistributionGroup {Replace this with the alias of your Distribution group}).Identity.DistinguishedName  

New-ManagementScope –Name:"RIusersScope" –RecipientRestrictionFilter "MemberOfGroup -eq '$groupidentity'"

 

2.3. Next, return to Exchange Admin Center and open the permissions tab in the navigation pane on the left, then click the + (Add) icon in the header of the right pane

 

2.4. in the New role group dialog that appears, enter a role group’s Name and set the RIusersScope group that you configured on Step 2.2. in the Write scope field

Tip

If you leave the Default Write scope, Impersonation will be applied for all users in the Org.

 

2.5. Next, click the + (Add) button under Roles:

 

2.6. In the Select a Role dialog that appears, select ApplicationImpersonation in the pane on the left, then click the add - > button underneath and click OK in the bottom right corner of the dialog

 

2.7. Next, click the + (Add) button under Members:

 

2.8. In the Select Members dialog that appears: click the πŸ” (Search) icon and enter master; select Master Impersonation; click the add - > button underneath, then click OK in the bottom right corner

 

2.9. Finally, click the Save button at the bottom of the New role group dialog to apply the changes

 

 

Step II: Verify the Configuration

Next, you need to test the configured Impersonating account using Microsoft Remote Connectivity Analyzer online tools:

1. Open the link https://testconnectivity.microsoft.com
2. Select Service Account Access (Developers)

>>> Click to see a screenshot <<<

 

3. Fill in the details for connecting to the service account:

4. Target Mailbox address: enter the service account’s email address

5. Service Account user name: enter the account’s name using the {domain}\{user name} or {user}@{domain} format

6. Service Account password and Confirm password fields: enter the service account’s password two times

Note

Security of tested account’s credentials entered is guaranteed by Microsoft.

7. If you are using an Exchange Web Services URL, click on β€œSpecify Exchange Web Services URL” and enter the URL, otherwise MS Remote Connectivity Analyzer will try to discover your EWS URL automatically

8. In the Test predefined folder field, leave the default value (β€œInbox”)

9. Select Use Exchange Impersonation and under Impersonated user enter the email address of any user from the impersonated emails list

10. If necessary in your configuration, select Ignore Trust for SSL

11. Read and confirm the β€œI understand …” section and enter the CAPTCHA to verify that you’re not a robot

>>> Click to see a screenshot <<<

 

12. Click Perform test and review the test results to check if the configured Impersonated account works

 

 

Step III: Configure Exchange Impersonation in Revenue Inbox Admin panel

After creating a service account, proceed to the steps provided in this article to configure the Sync Engine to operate via this account.

 


 

Setup Method #2: Special Scenarios

Requirements to configure Exchange Impersonation in your Org:

β€’ Administrative credentials for the server PC that is running Exchange 2013 - 2019 with the Client Access server role

β€’ Domain Administrator credentials, or credentials for another account type with the permission to create and assign roles and scopes

β€’ Remote Exchange PowerShell installed on the computer from which you will run the setup commands

 

Microsoft Exchange Server 2010-2019 uses Role-Based Access Control (RBAC) to assign permissions to accounts. You can use the New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the ApplicationImpersonation role to users in the organization.

Tip

Also refer to this Microsoft help article for complete information on account Roles.

 

When you assign the ApplicationImpersonation role, use the following parameters of the New-ManagementRoleAssignment cmdlet:

β€’ Name - The friendly name of the role assignment. Each time you assign a role, an entry is made in the RBAC roles list. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.

β€’ Role - The RBAC role to assign. When you set up Exchange Impersonation, you assign the ApplicationImpersonation role.

β€’ User - The impersonating mail account.

β€’ CustomRecipientScope - The scope of users that the impersonating user can impersonate. The impersonating user will only be allowed to impersonate other users within a specified scope. If no scope is specified, the user is granted the ApplicationImpersonation role over all users in an organization. You can create custom management scopes using the New-ManagementScope cmdlet.

 

 

To configure Exchange Impersonation for a shared mailbox (aliases)

1. Create a shared mailbox. If there is already a shared mailbox in your Exchange, you can skip this step.

 

2. Open Exchange Management Shell

 

3. Run the New-ManagementScope cmdlet to create a scope for which the impersonation role should be assigned. If the scope was set earlier, you can skip this step. The following example shows how to create a management scope for a specific group; you can create ManagementScope only via PowerShell.

New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:{Recipients Filter}

The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the mailboxes in the scope. You can use properties of the Identity object to create the filter.

 

The following command is used to set a filter that defines the scope of mailbox aliases beginning with “sharedmail”:

New-ManagementScope -Name SharedScopeAlias -RecipientRestrictionFilter {email alias, e.g. 'sharedmail*'}

 

4. Run the New-ManagementRoleAssignment cmdlet to add the impersonating permissions for the mailboxes within the scope set at step ( 3 ). The following command is used to enable the service account to impersonate all users in this scope.

New-ManagementRoleAssignment -Name:{Impersonation Assignment Name} -Role:ApplicationImpersonation -User:{Service Account} -CustomRecipientWriteScope:{Scope Name}

 

For example:

New-ManagementRoleAssignment –Name "impersonation" –Role:ApplicationImpersonation –User "ImpersonatedAcc" –CustomRecipientWriteScope "SharedScopeAlias"

 

Alternatively, if your Revenue Inbox deployment scenario requires that, you can assign the Impersonation service account for all user accounts. To do that:

Run the New-ManagementRoleAssignment cmdlet to add impersonating permissions to the specified mail account. The following command is used to configure Exchange Impersonation enabling a service account to impersonate all other users in an organization.

New-ManagementRoleAssignment -Name:{impersonationAssignmentName} -Role:ApplicationImpersonation -User:{ServiceAccount}

 

For example:

New-ManagementRoleAssignment -Name "impersonationrole" -Role:ApplicationImpersonation -User "ImpersonatingAcc"

 

 

Configure the management scope (via PowerShell)

Granting impersonation access to a limited set of Exchange users is more complex than granting access to all users in an Org. In Exchange this requires creation of a Management Scope which identifies the users that Impersonation will apply to. Management scopes bound to a group use the full distinguished name of the distribution group.

1.
$UserCredential = Get-Credential

 

2.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

 

3.
Import-PSSession $Session

 

4. Check the current Management Scopes:
Get-ManagementScope | fl

 

5. Next, we need to get the distinguished name of the group we are going to use, for example (using an especially createds O365 accounts group):
$Group = Get-Group "ManagementScopeO365Group"

 

6. Now get the distinguished name of the group, as we will need it for the next command
$Group.DistinguishedName

  You will see the folllowing PowerShell output:

CN=ManagementScopeO365Group_XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX,OU=YourServer.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR01A003,DC=prod,DC=outlook,DC=com

 

7. Create a New Management Scope:

New-ManagementScope –Name "OnePlaceMailServiceAccount"  –RecipientRestrictionFilter {MemberofGroup -eq  "your-distinguished-group-value-here"}

In a sample case:

 New-ManagementScope –Name "YourServiceAccount"  –RecipientRestrictionFilter {MemberofGroup -eq  "CN=ManagementScopeO365Group_  XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX,OU=YourServer.onmicrosoft.com,OU=Microsoft Exchange Hosted  Organizations,DC=NAMPR01A003,DC=prod,DC=outlook,DC=com"}

  8. Now that we have defined a new Management Scope, we like to use by running the following command which will list out all the users that are included in this Management Scope. This should be the users that you have added to the distribution group.
$myMS = (Get-ManagementScope | Where-Object Name -eq "YourServiceAccount")

  9. Enter Get-Recipient -RecipientPreviewFilter $myMS.RecipientFilter

Name RecipientType

 

admin UserMailbox

CSM_Test01 UserMailbox

CSM_Test02 UserMailbox

 

 

 


 

Setup Method #3: Alternative Procedure

This guide is based on this Microsoft help article.

There are two ways to configure a MS Exchange Impersonated account:

I. Using PowerShell Exchange Management cmdlets:
β€’ Works in Exchange 2013 - 2019 as well as Office 365
β€’ Provides the maximum level of account control

 or

II. Using Exchange Admin Center Web UI β€’ Works in Exchange 2013 - 2019 as well as in Office 365
β€’ The easier way to go; however, allows configuring Impersonation only for all users in an Org
 

Set up Impersonation in Office 365 (Exchange Online) using Exchange PowerShell

Prerequisites:

  • Administrative credentials for the Exchange server
  • Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes
  • Exchange management tools installed on the computer from which you will run the commands

 

How to configure impersonation for all Exchange users in an Org

If you are familiar with the Windows PowerShell commands and you want to know how to grant application impersonation rights in Office 365 using PowerShell. below steps will show how you can easily give impersonation rights to all office 365 users of your organization with the following commands:

1. Open Exchange Management Shell and click All Programs from the Start menu > Microsoft Exchange Server

 

2. Run the New-ManagementRoleAssignment cmdlet to configure the impersonation permission to the required user. The following example will show you how to grant Application impersonation to enable a service account to impersonate all other users in an organization.

New-ManagementRoleAssignment -name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount

 

 

To assign the application impersonation role for the specific users or groups of users, you need to run the following commands.

1. Open the Exchange Management Shell > Choose All Programs from the Start menu > Microsoft Exchange Server.

 

2. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. You can skip this step if an existing scope is available. The following example shows how to create a management scope for a specific group.

New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:recipientFilter

 

3. Run the New-ManagementRoleAssignment cmdlet to configure the permission to impersonate the users of the specified scope.

New-ManagementRoleAssignment -Name:impersonationAssignmentName  -Role:ApplicationImpersonation -User:serviceAccount  -CustomRecipientWriteScope:scopeName