Skip to content

How to Create an Impersonating Service Account

Office 365

Enabling MS Exchange Impersonation in SmartCloud Connect consists of three steps:

  • Configure a MS Exchange or Office 365 Service Account (described in this article)

  • Verify your configuration (described in this article)

  • Set up Impersonation configuration in SmartCloud Connect (described in a dedicated KB article)

 

Create a Service Account in MS Exchange 2010, 2013, 2016, 2019

This guide is based on this Microsoft guide.

There are two ways to configure a MS Exchange Impersonated account:

I. Using PowerShell Exchange Management cmdlets:
• Works in Exchange 2010 - 2019 as well as Office 365
• Provides a maximum level of account control

 

II. Using Exchange Admin Center Web UI • Works in Exchange 2013 - 2019 as well as Office 365
• The easier way to go; however, allows configuring Impersonation only for all users in an Org

 

Microsoft Exchange Server 2010/2013 uses Role-Based Access Control (RBAC) to assign permissions to accounts. You can use the New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the ApplicationImpersonation role to users in the organization.

When you assign the ApplicationImpersonation role, use the following parameters of the New-ManagementRoleAssignment cmdlet:

Name - The friendly name of the role assignment. Each time you assign a role, an entry is made in the RBAC roles list. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.

Role - The RBAC role to assign. When you set up Exchange Impersonation, you assign the ApplicationImpersonation role.

User - The impersonating mail account.

CustomRecipientScope - The scope of users that the impersonating user can impersonate. The impersonating user will only be allowed to impersonate other users within a specified scope. If no scope is specified, the user is granted the ApplicationImpersonation role over all users in an organization. You can create custom management scopes using the New-ManagementScope cmdlet.

 

Prerequisites

Requirements to configure Exchange Impersonation in your Org:

• Administrative credentials for the PC that is running Exchange 2010/2013/2016/2019, which has the Client Access server role set.

• Domain Administrator credentials, or credentials for another account type with the permission to create and assign roles and scopes.

• Remote Exchange PowerShell installed on the computer from which you will run the setup commands.

 

Procedure

To configure Exchange Impersonation for all users in an Org

1. Open Exchange Management Shell.

 

2. Run the New-ManagementRoleAssignment cmdlet to add impersonating permissions to the specified mail account. The following command is used to configure Exchange Impersonation enabling a service account to impersonate all other users in an organization.

New-ManagementRoleAssignment -Name:{impersonationAssignmentName} -Role:ApplicationImpersonation -User:{ServiceAccount}

 

For example:

New-ManagementRoleAssignment -Name "impersonationrole" -Role:ApplicationImpersonation -User "ImpersonatingAcc"

 

To configure Exchange Impersonation for a specific shared mailbox (aliases)

1. Create a shared mailbox. If there is already a shared mailbox in your Exchange, you can skip this step.

 

2. Open Exchange Management Shell

 

3. Run the New-ManagementScope cmdlet to create a scope for which the impersonation role should be assigned. If the scope was set earlier, you can skip this step. The following example shows how to create a management scope for a specific group; you can create ManagementScope only via PowerShell.

New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:{Recipients Filter}

The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the mailboxes in the scope. You can use properties of the Identity object to create the filter.

 

The following command is used to set a filter that defines the scope of mailbox aliases beginning with “sharedmail”:

New-ManagementScope -Name SharedScopeAlias -RecipientRestrictionFilter {email alias, e.g. 'sharedmail*'}

 

4. Run the New-ManagementRoleAssignment cmdlet to add the impersonating permissions for the mailboxes within the scope set at step ( 3 ). The following command is used to enable the service account to impersonate all users in this scope.

New-ManagementRoleAssignment -Name:{Impersonation Assignment Name} -Role:ApplicationImpersonation -User:{Service Account} -CustomRecipientWriteScope:{Scope Name}

 

For example:

New-ManagementRoleAssignment –Name "impersonation" –Role:ApplicationImpersonation –User "ImpersonatedAcc" –CustomRecipientWriteScope "SharedScopeAlias"

 

Create a Service Account in Office 365

 

How to Configure Impersonation in Office 365 using Exchange Admin Center

After creating a service account, proceed to the steps provided in this article to configure SmartCloud Connect to work via this account.

The Impersonation feature is available for Microsoft Exchange Server 2007-2019 and Microsoft Office 365 plan E3. In order to set up Application Impersonation via Office 365 Exchange Admin Center, the following steps should be performed.

1. Login to Office 365 Exchange Admin Center https://outlook.office365.com/ecp/ with Admin credentials

archive-11

 

2. Now go to permissions in the navigation tree, and in the admin roles tab click on the + icon to create a new Role group.

 

3. In the following dialog

    3.1. Type a reference Name and Description in corresponding fields
    3.2. select “SharedScopeAlias” in the Write scope: field
    3.3. select “ApplicationImpersonation” in Roles, then click + and OK

 

    3.4. Under Members:, click + and select the Impersonating service account that you will be using, then click OK

 

4. After you set up the Roles and Members, click the Save button at the bottom of the dialog.

 

5. Test the configured Impersonation account using Microsoft Remote Connectivity Analyzer online tools:

    5.1. Open the link https://testconnectivity.microsoft.com
    5.2. Select Service Account Access (Developers)

>>> Click to see a screenshot <<<

 

    5.2. Fill in the details for connecting to the service account:

        5.2.1. Target Mailbox address: enter the service account’s email address

        5.2.2. Service Account user name: enter the account’s name using the {domain}\{user name} or {user}@{domain} format

        5.2.3. Service Account password and Confirm password fields: enter the service account’s password two times

Note

Security of tested account’s credentials entered is guaranteed by Microsoft.

        5.2.4. If you are using an Exchange Web Services URL, click on “Specify Exchange Web Services URL” and enter the URL, otherwise MS Remote Connectivity Analyzer will try to discover your EWS URL automatically

        5.2.5. In the Test predefined folder field, leave the default value (“Inbox”)

        5.2.6. Select Use Exchange Impersonation and under Impersonated user enter the email address of any user from the impersonated emails list

        5.2.7. If needed, select Ignore Trust for SSL

        5.2.8. Read and confirm the “I understand …” section and enter the CAPTCHA to verify that you’re not a robot

>>> Click to see a screenshot <<<

6. Click Perform test and see the test results to check if the impersonating service account was successfully set up

   

Setting up Impersonation in Office 365 (Exchange Online) using Exchange PowerShell

Prerequisites:

  • Administrative credentials for the Exchange server.
  • Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes.
  • Exchange management tools installed on the computer from which you will run the commands.
     

How to configure impersonation for all Exchange users in an Org?

If you are familiar with the Windows PowerShell commands and you want to know how to grant application impersonation rights in office 365 using PowerShell? below steps will show how you can easily give impersonation rights to all office 365 users of your organization with the following commands:

1. Open the Exchange Management Shell > Choose All Programs from the Start menu > Microsoft Exchange Server.
2. Run the New-ManagementRoleAssignment cmdlet to configure the impersonation permission to the required user. The following example will show you how to grant Application impersonation to enable a service account to impersonate all other users in an organization.

New-ManagementRoleAssignment -name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount

 

How to set up impersonation for specific users or groups of users

To assign the application impersonation role for the specific users or groups of users, you need to run the following commands.

1. Open the Exchange Management Shell > Choose All Programs from the Start menu > Microsoft Exchange Server.
2. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. You can skip this step if an existing scope is available. The following example shows how to create a management scope for a specific group.

New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:recipientFilter

3. Run the New-ManagementRoleAssignment cmdlet to configure the permission to impersonate the users of the specified scope.

New-ManagementRoleAssignment -Name:impersonationAssignmentName  -Role:ApplicationImpersonation -User:serviceAccount  -CustomRecipientWriteScope:scopeName

img