Impersonation Rights in Exchange
To integrate Exchange with Eptura Workplace, you first need to create a service account with impersonation rights in Exchange. A service account is simply an account that can be used for an Exchange Web Services connection. It can be any account with a mailbox. This account is used to impersonate other user accounts, allowing it to access and sync mailboxes for existing Exchange users.
Your Office 365 administrator needs to use the following procedure to add a new service account and grant the account the "ApplicationImpersonation" role, which is used to impersonate users from the Office 365 Exchange Admin Center.
It is recommended that you limit the scope of access granted to your service account based on your team's security needs. Before assigning your service account the ApplicationImpersonation role using the Enabling the Service Account procedure, you should update which account types the service account is allowed to impersonate. At a minimum, we recommend including all room resource accounts you plan on integrating with Eptua Workplace. For more information on limiting the scope of access for your service account, refer to the Limiting the Scope of Access procedure.
Add a New User
- Sign in to Office 365 with your administrator credentials, https://login.microsoftonline.com/
- Click the App Launcher icon in the upper-left corner.
- Select the Admin option. The Admin Center screen displays.
- Select + Add a User in the Users section to add a new user.
The New User screen displays.
- In the New User screen, populate the necessary fields to create the service account. Make sure to uncheck the Make this user change their password with Outlook Web App on next login check box.
- Click the Add button to add the new service account. The service account is added.
Enable the Service Account
Now that you have a generic user account defined, you can assign the "ApplicationImpersonation" role to the account so it can act as a service account for your other user's mailboxes. Use the following procedure to apply this role to the service account.
- Sign in to Office 365 with your administrator credentials, https://login.microsoftonline.com/
- Access the Exchange Admin Center by click the Exchange option from the Admin Centers section in the sidebar menu. The Exchange Admin Center screen displays. This screen can also be accessed at https://outlook.office365.com/ecp/.
- In the Permissions section, click the Admin Roles option.
- Click the + (Plus Sign) button to create a new Role group. The New Role Group window displays.
- In the New Role Group screen, in the Name field, enter in a name. For simplicity, we recommend you enter ApplicationImpersonation as the name for the "ApplicationImpersonation" role group.
- Click the + (Plus Sign) button in the Roles section to assign the ApplicationImpersonation role to the new role group. The Select a Role screen displays.
- In the Select a Role window, highlight the ApplicationImpersonation role, click the Add button, and then click the OK button to assign the role to the new group. ApplicationImpersonation displays in the Roles section on the New Role Group screen.
- Click the + (Plus Sign) button in the Members section on the New Role Group screen to assign your generic user account as a service account to use with Exchange. The Select Members window displays.
- On the Select a User window, highlight your generic user account, click the Add button.
- Click the OK button to assign the user to the new role group. The user account displays in the Members section on the New Role Group screen.
- Click the Save button on the New Role Group window to save your entries and create the new role group. You have successfully created your service account, and the generic account you created can now act as your service account to impersonate other user's mailboxes configured in Exchange.
The validity of the role applied and the permissions of the user can be tested using the Microsoft Remote Connectivity Analyzer.
Limit the Scope of Access
If your organization requires you to limit the scope of access for the Exchange Web Services connection, use the following procedure. By limiting the scope, the service account will only have access to room calendars.
If you need more information on configuring impersonation for specific users or groups, https://msdn.microsoft.com/en-us/library/office/dn722376(v=exchg.150).aspx.
- Access the Exchange Management Shell and run the following command: New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox"}
New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox"}
This command creates a new management scope for your impersonation account, limiting access to only the rooms/equipment required for the integration.
- When assign the ApplicationImpersonation role to the service account, run the following command and make sure to enter the name of your service account in place of YOURSERVICEACCOUNTUSERNAMEHERE in the command:
New-ManagementRoleAssignment –Name "ResourceImpersonation" –Role ApplicationImpersonation –User "YOURSERVICEACCOUNTUSERNAMEHERE" –CustomRecipientWriteScope "ResourceMailboxes"
The service account will be limited to only the necessary room calendars and equipment.