Impersonation Rights in Exchange
To integrate Exchange with iOFFICE, you first need to create a service account with impersonation rights in Exchange. A service account is simply an account that can be used for an Exchange Web Services connection. It can be any account with a mailbox. This account is used to impersonate other user accounts, allowing it to access and sync mailboxes for existing Exchange users.
Your Office 365 administrator should use the following procedures to add a new service account and grant the account the "ApplicationImpersonation" role, which is used to impersonate users from the Office 365 Exchange Admin Center.
Important! - It is recommended that you limit the scope of access granted to your service account based on your team's security needs. Before assigning your service account the ApplicationImpersonation role using the Enabling the Service Account procedure, you should update which account types the service account is allowed to impersonate. At a minimum, we recommend including all room resource accounts you plan on integrating with iOFFICE. For more information on limiting the scope of access for your service account, refer to the Limiting the Scope of Access procedure.
Adding a New User
- Sign in to Office 365 with your administrator credentials.
- Access the Office 365 admin center by clicking the
(App Launcher) icon in the upper-left corner.
- Select the Admin option. The Admin Center screen displays.
- Select + Add a User in the Users section to add a new user.
The New User window displays.
- On the New User window, populate the necessary fields to create the service account. Be sure to clear the Make this user change their password with Outlook Web App on next login check box.
.png?revision=1)
- Click the Add button to add the new service account. The service account is added.
For more information on adding users in Office 365, refer to How to Add users individually to Office 365 - Admin Help.
Enabling the Service Account
Now that you have a generic user account defined, you can assign the "ApplicationImpersonation" role to the account so it can act as a service account for your other user's mailboxes. Use the following procedure to apply this role to the service account.
- Access the Exchange Admin Center by selecting the Exchange option from the Admin Centers section in the sidebar menu. The Exchange Admin Center screen displays. This screen can also be accessed at https://outlook.office365.com/ecp/.
Note: You may need to sign in to Office 365 with your administrator credentials.
- Select the Admin Roles option in the Permissions section.
- Click the + (Plus Sign) button above the table to create a new Role group. The New Role Group window displays.
- On the New Role Group window, type in a name in the Name field. For simplicity, we recommend you enter ApplicationImpersonation as the name for the "ApplicationImpersonation" role group.
- Click the + (Plus Sign) button in the Roles section to assign the ApplicationImpersonation role to the new role group. The Select a Role window displays.
- On the Select a Role window, highlight the ApplicationImpersonation role, click the Add button, and then click the OK button to assign the role to the new group. ApplicationImpersonation displays in the Roles section on the New Role Group window.
- Similarly, click the + (Plus Sign) button in the Members section on the New Role Group window to assign your generic user account as a service account to use with Exchange. The Select Members window displays.
- On the Select a User window, highlight your generic user account, click the Add button, and then click the OK button to assign the user to the new role group. The user account displays in the Members section on the New Role Group window.
- Click the Save button on the New Role Group window to save your entries and create the new role group. You have successfully created your service account, and the generic account you created can now act as your service account to impersonate other user's mailboxes configured in Exchange.
Note: The validity of the role applied and the permissions of the user can be tested using the Microsoft Remote Connectivity Analyzer.
Limiting the Scope of Access
If your organization requires you to limit the scope of access for the Exchange Web Services connection, use the following procedure. By limiting the scope, the service account will only have access to room calendars.
Note: If you need more information on configuring impersonation for specific users or groups, click here.
- Access the Exchange Management Shell and run the following command: New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox"}
New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox"}
This command creates a new management scope for your impersonation account, limiting access to only the rooms/equipment required for the integration.
- When assigning the ApplicationImpersonation role to the service account, run the following command and be sure to enter the name of your service account in place of YOURSERVICEACCOUNTUSERNAMEHERE in the command: New-ManagementRoleAssignment –Name "ResourceImpersonation" –Role ApplicationImpersonation –User "YOURSERVICEACCOUNTUSERNAMEHERE" –CustomRecipientWriteScope "ResourceMailboxes"
New-ManagementRoleAssignment –Name "ResourceImpersonation" –Role ApplicationImpersonation –User "YOURSERVICEACCOUNTUSERNAMEHERE" –CustomRecipientWriteScope "ResourceMailboxes"
The service account will be limited to only the necessary room calendars and equipment.