Exchange impersonation: Grant permissions to service accounts

Many organizations use software that needs access to users' mailboxes. In this case, it makes sense to assign the necessary permissions centrally. Exchange provides the impersonation role for this, which can act on behalf of the respective users.

Author
Recent Posts

Roland Eich

Roland Eich is an IT specialist for system integration and has been working in IT for over 10 years as a system administrator. His areas of expertise are Windows Server and IT infrastructures. Certifications: MCITP EA, MCSA and MCSE.

Options for granting permissions

Basically, Exchange provides three options to grant users permissions to other users' mailboxes:

Folder permissions, when you want to grant a user access to a folder, but you don't want that user to be able to "send on behalf of" another user.
Delegation, when you want a user to perform work on behalf of another user (for example, an executive assistant handling the manager's calendar). This can also be done centrally using PowerShell.
Impersonation in a service application that needs to access multiple mailboxes and act as the owner of the mailbox.

For our requirement, an impersonation role can be configured centrally on the Exchange Server. This works on both Exchange on-prem and Exchange Online.

For security reasons, the service account will not be authorized to access the entire organization. This would automatically affect critical positions, such as a CxO. Instead, you can use filters to adjust identity roles accordingly.

Use impersonation roles

Impersonation can be configured via Exchange PowerShell. Using the cmdlet

Get-ManagementRoleAssignment -Role:ApplicationImpersonation

you can first check to see if there are already any impersonation roles.

Display currently configured impersonation roles

To create a new impersonation role, use the following cmdlet:

New-ManagementRoleAssignment -Role:ApplicationImpersonation `
-User: ServiceUser@rolandeich.onmicrosoft.com

Creating a new impersonation role using PowerShell

Now you can further restrict the permissions of the service user with the RecipientTypeDetails parameter, in this example, to rooms:

New-ManagementScope -Name "ApplicationImpersonation-ServiceUser" `
-RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox"}

Restrict service account permissions to room mailboxes

Further filtering would also be possible for all user mailboxes, for example:

RecipientRestrictionFilter "RecipientType -eq 'UserMailbox'"

The following example shows the restriction of permissions to the members of a group:

New-ManagementScope "ApplicationImpersonation-ServiceUser" `
-RecipientRestrictionFilter "MemberOfGroup -eq '$($GroupDistinguishedName)'"

More detailed information on the filtering options can be found on Microsoft Docs .

However, if you are planning to migrate to Exchange Online and have created on-prem filters at the organization level (OU) or directly for servers, they will not work in Exchange Online because there are no OUs there.

Basically, the configuration of an impersonation role is now complete. In practice, however, it often happens that different service users need to access calendars. In this case, it is more efficient to give permissions to a group that then contains the service users:

New-ManagementRoleAssignment -Name GroupImpersonation `
-Role ApplicationImpersonation -User ServiceUser@rolandeich.onmicrosoft.com `
-CustomRecipientWriteScope "ApplicationImpersonation-ServiceUser"