Impersonation Setup: Hybrid Scenarios¶
For users of the Email Sidebar on:
7 min read
[the article is work-in-progress]
This guide is intended for Exchange Impersonation setup special scenarios for hybrid environments, where the typical scenarios for Office 365 or MS Exchange cannot be applied.
Enabling MS Exchange Impersonation for the end users consists of three stages:
I. Configure a Service Account and Apply it for RGES end users as described in this article, Method 1
II. Verify the Configuration as described in this article
III. Configure Exchange Impersonation in RG Email Sidebar Admin panel (described in a separate KB article)
Step I: Configure a Service Account and Apply it for RGES end users¶
Note
There are three methods how to set up Impersonation, Method 1 described in a dedicated article is the recommended one, while Methods 2 and 3 in this article are only used in specific configurations
Setup Method #2 (alternative): via RBAC¶
Requirements to configure Exchange Impersonation in your Org:
• Administrative credentials for the server PC that is running Exchange 2013 - 2019 with the Client Access server role
• Domain Administrator credentials, or credentials for another account type with the permission to create and assign roles and scopes
• Remote Exchange PowerShell installed on the computer from which you will run the setup commands
Microsoft Exchange Server 2010-2019 uses Role-Based Access Control (RBAC) to assign permissions to accounts. You can use the New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the ApplicationImpersonation role to users in the organization.
Tip
Also refer to this Microsoft help article for complete information on account Roles
When you assign the ApplicationImpersonation role, use the following parameters of the New-ManagementRoleAssignment cmdlet:
• Name - The friendly name of the role assignment. Each time you assign a role, an entry is made in the RBAC roles list. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.
• Role - The RBAC role to assign. When you set up Exchange Impersonation, you assign the ApplicationImpersonation role.
• User - The impersonating mail account.
• CustomRecipientScope - The scope of users that the impersonating user can impersonate. The impersonating user will only be allowed to impersonate other users within a specified scope. If no scope is specified, the user is granted the ApplicationImpersonation role over all users in an organization. You can create custom management scopes using the New-ManagementScope cmdlet.
To configure Exchange Impersonation for a shared mailbox (aliases)
1. Create a shared mailbox. If there is already a shared mailbox in your Exchange, skip this step
>>> Click to see a screenshot <<<
2. Open Exchange Management Shell
3. Run the New-ManagementScope cmdlet to create a scope for which the impersonation role should be assigned. If the scope was set earlier, you can skip this step. The following example shows how to create a management scope for a specific group; you can create ManagementScope only via PowerShell.
New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:{Recipients Filter}
The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the mailboxes in the scope. You can use properties of the Identity object to create the filter.
The following command is used to set a filter that defines the scope of mailbox aliases beginning with “sharedmail”:
New-ManagementScope -Name SharedScopeAlias -RecipientRestrictionFilter {email alias, e.g. 'sharedmail*'}
4. Run the New-ManagementRoleAssignment cmdlet to add the impersonating permissions for the mailboxes within the scope set at step ( 3 ). The following command is used to enable the service account to impersonate all users in this scope
New-ManagementRoleAssignment -Name:{Impersonation Assignment Name} -Role:ApplicationImpersonation -User:{Service Account} -CustomRecipientWriteScope:{Scope Name}
For example:
New-ManagementRoleAssignment –Name "impersonation" –Role:ApplicationImpersonation –User "ImpersonatedAcc" –CustomRecipientWriteScope "SharedScopeAlias"
Alternatively, if your RG Email Sidebar deployment scenario requires that, you can assign the Impersonation service account for all user accounts. To do that:
Run the New-ManagementRoleAssignment cmdlet to add impersonating permissions to the specified mail account. The following command is used to configure Exchange Impersonation enabling a service account to impersonate all users in an Org:
New-ManagementRoleAssignment -Name:{impersonationAssignmentName} -Role:ApplicationImpersonation -User:{ServiceAccount}
For example:
New-ManagementRoleAssignment -Name "impersonationrole" -Role:ApplicationImpersonation -User "ImpersonatingAcc"
To configure the management scope (via PowerShell):¶
Granting impersonation access to a limited set of Exchange users is more complex than granting access to all users in an Org. In Exchange this requires creation of a Management Scope which identifies the users that Impersonation will apply to. Management scopes bound to a group use the full distinguished name of the distribution group.
1.
$UserCredential = Get-Credential
2.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
3.
Import-PSSession $Session
4. Read [this article]he current Management Scopes:
Get-ManagementScope | fl
5. Next, we need to get the distinguished name of the group we are going to use, for example (using an especially createds O365 accounts group):
$Group = Get-Group "ManagementScopeO365Group"
6. Now get the distinguished name of the group, as we will need it for the next command
$Group.DistinguishedName
You will see the folllowing PowerShell output:
CN=ManagementScopeO365Group_XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX,OU=YourServer.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR01A003,DC=prod,DC=outlook,DC=com
7. Create a New Management Scope:
New-ManagementScope –Name "OnePlaceMailServiceAccount" –RecipientRestrictionFilter {MemberofGroup -eq "your-distinguished-group-value-here"}
In a sample case:
New-ManagementScope –Name "YourServiceAccount" –RecipientRestrictionFilter {MemberofGroup -eq "CN=ManagementScopeO365Group_ XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX,OU=YourServer.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR01A003,DC=prod,DC=outlook,DC=com"}
8. Now that we have defined a new Management Scope, we like to use by running the following command which will list out all the users that are included in this Management Scope. This should be the users that you have added to the distribution group.
$myMS = (Get-ManagementScope | Where-Object Name -eq "YourServiceAccount")
9. Enter
Get-Recipient -RecipientPreviewFilter $myMS.RecipientFilter
Name RecipientType
admin UserMailbox
CSM_Test01 UserMailbox
CSM_Test02 UserMailbox
Setup Method #3 (alternative): via PowerShell¶
This guide is based on this Microsoft help article.
There are two ways to configure a MS Exchange Impersonated account:
I. Using PowerShell Exchange Management cmdlets:
• Works in Exchange 2016 - 2019 as well as Office 365
• Provides the maximum level of account control
or
II. Using Exchange Admin Center Web UI
• Works in Exchange 2016 - 2019 as well as in Office 365
• The easier way to go; however, allows configuring Impersonation only for all users in an Org
Set up Impersonation in Office 365 with Exchange Online using Exchange PowerShell¶
Prerequisites:
- Administrative credentials for the Exchange server
- Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes
- Exchange management tools installed on the computer from which you will run the commands
To configure impersonation for all Exchange users in an Org:
If you are familiar with the Windows PowerShell commands and you want to know how to grant application impersonation rights in Office 365 using PowerShell. below steps will show how you can easily give impersonation rights to all office 365 users of your organization with the following commands:
1. Open Exchange Management Shell and click All Programs from the Start menu > Microsoft Exchange Server
2. Run the New-ManagementRoleAssignment cmdlet to configure the impersonation permission to the required user. The following example will show you how to grant Application impersonation to enable a service account to impersonate all other users in an organization.
New-ManagementRoleAssignment -name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount
To assign the application impersonation role for the specific users or groups of users, you need to run the following commands.
1. Open the Exchange Management Shell > Choose All Programs from the Start menu > Microsoft Exchange Server.
2. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. You can skip this step if an existing scope is available. The following example shows how to create a management scope for a specific group.
New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:recipientFilter
3. Run the New-ManagementRoleAssignment cmdlet to configure the permission to impersonate the users of the specified scope.
New-ManagementRoleAssignment -Name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount -CustomRecipientWriteScope:scopeName
>>> Click to see a screenshot <<<
Step II: Verify the Configuration¶
Next, you need to test the configured Impersonating account using Microsoft Remote Connectivity Analyzer online tools:
1. Open the link https://testconnectivity.microsoft.com
2. Select Service Account Access (Developers)
3. Fill in the details for connecting to the service account:
4. Target Mailbox address: enter the service account’s email address
5. Service Account user name: enter the account’s name using the {domain}\{user name} or {user}@{domain} format
6. Service Account password and Confirm password fields: enter the service account’s password two times
Note
Security of tested account’s credentials entered is guaranteed by Microsoft
7. If you are using an Exchange Web Services URL, click on “Specify Exchange Web Services URL” and enter the URL, otherwise MS Remote Connectivity Analyzer will try to discover your EWS URL automatically
8. In the Test predefined folder field, leave the default value (“Inbox”)
9. Select Use Exchange Impersonation and under Impersonated user enter the email address of any user from the impersonated emails list
10. If necessary in your configuration, select Ignore Trust for SSL
11. Read and confirm the “I understand …” section and enter the CAPTCHA to verify that you’re not a robot
>>> Click to see a screenshot <<<
12. Click Perform test and check the test results to see if the Impersonated account works
Step III: Configure Impersonation in RG Email Sidebar Admin panel¶
Next, proceed to the steps provided in this article to configure RGES Sync Engine to operate via the Impersonation account.